02d0008536e64f889feea39fe3097574ad443ca27cf5314a11feb42059ca3b8a

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bf5762fcefef0fde8ad24028d3c4c3c.exe
Size

11.3MB
MD5

b8627712608289241fbe66b7aa044b79
SHA1

dd1ce2be81f75c51aa989d99932114ee7dd8b0a1
SHA256

02d0008536e64f889feea39fe3097574ad443ca27cf5314a11feb42059ca3b8a
SHA512

efa150c2dd14034c803c352dff265cd0106393bce55bf5f321d519f1f7ed3b3d9299e713590f174d9b715261af593ff753e7f5b1f61f29299eff1b5425a2d931

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

6bf5762fcefef0fde8ad24028d3c4c3c.tmpwmfdist.exeSVideoBurner.exe

pid process

1100 6bf5762fcefef0fde8ad24028d3c4c3c.tmp
2008 wmfdist.exe
1572 SVideoBurner.exe

pid	process
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
2008	wmfdist.exe
1572	SVideoBurner.exe

Loads dropped DLL 7 IoCs

Processes:

6bf5762fcefef0fde8ad24028d3c4c3c.exe6bf5762fcefef0fde8ad24028d3c4c3c.tmpSVideoBurner.exe

pid	process
1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1572	SVideoBurner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

Processes:

6bf5762fcefef0fde8ad24028d3c4c3c.tmp

description	ioc	process
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-VRGD5.tmp	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-7AKVP.tmp	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-EORT4.tmp	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\unins000.dat	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-ENFQ3.tmp	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-IKMH2.tmp	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\unins000.dat	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-KN1BH.tmp	6bf5762fcefef0fde8ad24028d3c4c3c.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6bf5762fcefef0fde8ad24028d3c4c3c.tmpSVideoBurner.exe

pid process

1100 6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1100 6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1572 SVideoBurner.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6bf5762fcefef0fde8ad24028d3c4c3c.tmp

pid process

1100 6bf5762fcefef0fde8ad24028d3c4c3c.tmp

pid	process
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
1572	SVideoBurner.exe

pid	process
1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6bf5762fcefef0fde8ad24028d3c4c3c.exe6bf5762fcefef0fde8ad24028d3c4c3c.tmp

description	pid	process	target process
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1876 wrote to memory of 1100	1876	6bf5762fcefef0fde8ad24028d3c4c3c.exe	6bf5762fcefef0fde8ad24028d3c4c3c.tmp
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 2008	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	wmfdist.exe
PID 1100 wrote to memory of 1572	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	SVideoBurner.exe
PID 1100 wrote to memory of 1572	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	SVideoBurner.exe
PID 1100 wrote to memory of 1572	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	SVideoBurner.exe
PID 1100 wrote to memory of 1572	1100	6bf5762fcefef0fde8ad24028d3c4c3c.tmp	SVideoBurner.exe

C:\Users\Admin\AppData\Local\Temp\6bf5762fcefef0fde8ad24028d3c4c3c.exe
"C:\Users\Admin\AppData\Local\Temp\6bf5762fcefef0fde8ad24028d3c4c3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\is-9QBE8.tmp\6bf5762fcefef0fde8ad24028d3c4c3c.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9QBE8.tmp\6bf5762fcefef0fde8ad24028d3c4c3c.tmp" /SL5="$30152,11163886,1063936,C:\Users\Admin\AppData\Local\Temp\6bf5762fcefef0fde8ad24028d3c4c3c.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
"C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe" /Q:A /R:N
3⤵
- Executes dropped EXE
PID:2008

C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
"C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe" 6bf5762fcefef0fde8ad24028d3c4c3c.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
MD5
380c2541c28ed9ebbe02ef1de6ba89ec

SHA1
7a71555e6e46b1f15d19c2f95c215d2e79457a0a

SHA256
240b336311b521adf0087298187521f7221d7fbb879bb42670620ccdfc977ac4

SHA512
6550d6be1dd513ccb3010bc7d67ec7599cddc9f3764137161c8bc3f5ee19d3b60e7eda37170eaef5f39166fd03f03a43163156d65eb9776ac721fed0389049eb

Download Submit
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9QBE8.tmp\6bf5762fcefef0fde8ad24028d3c4c3c.tmp
MD5
d6b0aed2e5177bdc167c88c1218610c5

SHA1
58e721a364f61a6d414153369a413f4754c87f5a

SHA256
8dc6052267c0bbef0d2d6134326f2f31f4da13314111e817dd32e0db782e5068

SHA512
f038ad6ee535c417e9327e564febdeeab41a980c70b963960b08af8196afaf2d553c77a4093e4f9a5c9803ec29888aa827f9487ba8aff37d90de9fc271d75b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9QBE8.tmp\6bf5762fcefef0fde8ad24028d3c4c3c.tmp
MD5
d6b0aed2e5177bdc167c88c1218610c5

SHA1
58e721a364f61a6d414153369a413f4754c87f5a

SHA256
8dc6052267c0bbef0d2d6134326f2f31f4da13314111e817dd32e0db782e5068

SHA512
f038ad6ee535c417e9327e564febdeeab41a980c70b963960b08af8196afaf2d553c77a4093e4f9a5c9803ec29888aa827f9487ba8aff37d90de9fc271d75b1e

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
MD5
380c2541c28ed9ebbe02ef1de6ba89ec

SHA1
7a71555e6e46b1f15d19c2f95c215d2e79457a0a

SHA256
240b336311b521adf0087298187521f7221d7fbb879bb42670620ccdfc977ac4

SHA512
6550d6be1dd513ccb3010bc7d67ec7599cddc9f3764137161c8bc3f5ee19d3b60e7eda37170eaef5f39166fd03f03a43163156d65eb9776ac721fed0389049eb

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
MD5
380c2541c28ed9ebbe02ef1de6ba89ec

SHA1
7a71555e6e46b1f15d19c2f95c215d2e79457a0a

SHA256
240b336311b521adf0087298187521f7221d7fbb879bb42670620ccdfc977ac4

SHA512
6550d6be1dd513ccb3010bc7d67ec7599cddc9f3764137161c8bc3f5ee19d3b60e7eda37170eaef5f39166fd03f03a43163156d65eb9776ac721fed0389049eb

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
\Users\Admin\AppData\Local\Temp\is-9QBE8.tmp\6bf5762fcefef0fde8ad24028d3c4c3c.tmp
MD5
d6b0aed2e5177bdc167c88c1218610c5

SHA1
58e721a364f61a6d414153369a413f4754c87f5a

SHA256
8dc6052267c0bbef0d2d6134326f2f31f4da13314111e817dd32e0db782e5068

SHA512
f038ad6ee535c417e9327e564febdeeab41a980c70b963960b08af8196afaf2d553c77a4093e4f9a5c9803ec29888aa827f9487ba8aff37d90de9fc271d75b1e

Download Submit
\Users\Admin\AppData\Local\Temp\is-FBJJ9.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-FBJJ9.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
memory/1100-1-0x0000000000000000-mapping.dmp

Download
memory/1572-12-0x0000000000000000-mapping.dmp

Download
memory/1572-17-0x0000000005110000-0x0000000005121000-memory.dmp

Filesize
68KB

Download
memory/1572-16-0x0000000004D00000-0x0000000004D11000-memory.dmp

Filesize
68KB

Download
memory/2008-8-0x0000000000000000-mapping.dmp

Download