Analysis
-
max time kernel
103s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:14
Static task
static1
Behavioral task
behavioral1
Sample
76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
Resource
win7v20201028
General
-
Target
76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
-
Size
1.3MB
-
MD5
d0a8fa8d74bc403f7e4976d91ccbbdf3
-
SHA1
6353c559f5947a57920734969e74a9aac1a23f2a
-
SHA256
bf4927e55c13d1cf1edf574220abbcbca4a2a24beba54cffab22d36a1f738da1
-
SHA512
fe5415c3eec7e2e6bb40c9939107da8d9a26534714ca1b20a5b4dae2eae91bf705f99272113ab29764b28c4ea59c42ec0e56d35ae42b570c6b9f241277d27b10
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exepid process 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exedescription pid process Token: SeDebugPrivilege 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exedescription pid process target process PID 984 wrote to memory of 3416 984 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe PID 984 wrote to memory of 3416 984 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe PID 984 wrote to memory of 3416 984 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe"C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe"C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe" -burn.unelevated BurnPipe.{CFCFCA97-1E1B-4709-BAAC-80CCC7ED9EA9} {F6776191-1632-48F2-96B8-4B265D5BB78B} 9842⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\BootstrapperCore.dllMD5
84959b8eeeb3d5343004baf4fb823aab
SHA13fad40cfa1ad0d9d757498feec32589ba6eab857
SHA256500c1d374cff855cf85dc54b795384d73b9067e000c6cf91f503179de738b0c8
SHA512ae83b0bed5f573cd44660dcec73895731388891ff4d2b4c97ac52c5849126c3a30c2b70251b2a62e539d8e3c5bfdbf141fb14025054987133e6f7ccfa052e8b3
-
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\BootstrapperCore.dllMD5
84959b8eeeb3d5343004baf4fb823aab
SHA13fad40cfa1ad0d9d757498feec32589ba6eab857
SHA256500c1d374cff855cf85dc54b795384d73b9067e000c6cf91f503179de738b0c8
SHA512ae83b0bed5f573cd44660dcec73895731388891ff4d2b4c97ac52c5849126c3a30c2b70251b2a62e539d8e3c5bfdbf141fb14025054987133e6f7ccfa052e8b3
-
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\SetupBootstrapper.dllMD5
b713c59266dc34e0195c34c1ab25fdf4
SHA1adae766aaaf8545eab26b555fdcdb39968756ea7
SHA256231165726bd490fc28efd3677e799c3aca7b722b633b10829a7bfebec63054b7
SHA5122a02ee6d925b6c0fda2ae6ad25bd29495d8905e2a663464da52d0d70763355d18443590fae2c949b6163bd26438e907a6b364f973d5b4f378f8dcac8c573824e
-
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\SetupBootstrapper.dllMD5
b713c59266dc34e0195c34c1ab25fdf4
SHA1adae766aaaf8545eab26b555fdcdb39968756ea7
SHA256231165726bd490fc28efd3677e799c3aca7b722b633b10829a7bfebec63054b7
SHA5122a02ee6d925b6c0fda2ae6ad25bd29495d8905e2a663464da52d0d70763355d18443590fae2c949b6163bd26438e907a6b364f973d5b4f378f8dcac8c573824e
-
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\mbahost.dllMD5
ea670db933aaa80f8a45da04ae1c835d
SHA1827fd0f928c3f3ee82593bf6b68e2ea94faa7809
SHA256d8301bc68b017f3f23cbbf6b31daf170dea4d5fa4bef6f92cacb900b95e2a1a7
SHA5122b97c629e5150d42bccd233d6078174de99caad49bc304aafcb2eed2b2f84b830ca3d4345aff416e0a0739e212594086d19b1a20fdc25d35a6a1e65a82000379
-
memory/3416-9-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/3416-0-0x0000000000000000-mapping.dmp
-
memory/3416-5-0x0000000005E50000-0x0000000005E51000-memory.dmpFilesize
4KB
-
memory/3416-2-0x00000000723B0000-0x0000000072A9E000-memory.dmpFilesize
6.9MB
-
memory/3416-10-0x00000000068E0000-0x00000000068E1000-memory.dmpFilesize
4KB
-
memory/3416-11-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/3416-12-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/3416-13-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/3416-14-0x0000000008F10000-0x0000000008F11000-memory.dmpFilesize
4KB