966fc4bb79e63ab27222a3a13a7617415b4cd4642df4b15c5a19095a2775f3d6

Analysis

max time kernel
55s
max time network
55s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bea4f035cf4c326ee29d659c87d6c05.exe
Size

11.1MB
MD5

970751ae473a2ed45e6f0571a1d8541d
SHA1

641e74d7430e2854c0e3cb1bec69a003da8f7079
SHA256

966fc4bb79e63ab27222a3a13a7617415b4cd4642df4b15c5a19095a2775f3d6
SHA512

d8d01167de369757128b3b31299d6b0801994f2390829d8494ea48fdc58ea76c83c99ef29eb5082a9446af4db49c11a35e933eb05ebfa444f28608368b16a0a8

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

8bea4f035cf4c326ee29d659c87d6c05.tmpwmfdist.exeSVideoBurner.exe

pid process

1936 8bea4f035cf4c326ee29d659c87d6c05.tmp
1172 wmfdist.exe
1676 SVideoBurner.exe

pid	process
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1172	wmfdist.exe
1676	SVideoBurner.exe

Loads dropped DLL 7 IoCs

Processes:

8bea4f035cf4c326ee29d659c87d6c05.exe8bea4f035cf4c326ee29d659c87d6c05.tmpSVideoBurner.exe

pid	process
1764	8bea4f035cf4c326ee29d659c87d6c05.exe
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1676	SVideoBurner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

Processes:

8bea4f035cf4c326ee29d659c87d6c05.tmp

description	ioc	process
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-EO2GJ.tmp	8bea4f035cf4c326ee29d659c87d6c05.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-J56E6.tmp	8bea4f035cf4c326ee29d659c87d6c05.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-OTDNA.tmp	8bea4f035cf4c326ee29d659c87d6c05.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-14SF6.tmp	8bea4f035cf4c326ee29d659c87d6c05.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\unins000.dat	8bea4f035cf4c326ee29d659c87d6c05.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-3AB54.tmp	8bea4f035cf4c326ee29d659c87d6c05.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll	8bea4f035cf4c326ee29d659c87d6c05.tmp
File created	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-QMM49.tmp	8bea4f035cf4c326ee29d659c87d6c05.tmp
File opened for modification	C:\Program Files (x86)\S-Mobile Uploader\BurnerService\unins000.dat	8bea4f035cf4c326ee29d659c87d6c05.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8bea4f035cf4c326ee29d659c87d6c05.tmpSVideoBurner.exe

pid process

1936 8bea4f035cf4c326ee29d659c87d6c05.tmp
1936 8bea4f035cf4c326ee29d659c87d6c05.tmp
1676 SVideoBurner.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8bea4f035cf4c326ee29d659c87d6c05.tmp

pid process

1936 8bea4f035cf4c326ee29d659c87d6c05.tmp

pid	process
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp
1676	SVideoBurner.exe

pid	process
1936	8bea4f035cf4c326ee29d659c87d6c05.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8bea4f035cf4c326ee29d659c87d6c05.exe8bea4f035cf4c326ee29d659c87d6c05.tmp

description	pid	process	target process
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1764 wrote to memory of 1936	1764	8bea4f035cf4c326ee29d659c87d6c05.exe	8bea4f035cf4c326ee29d659c87d6c05.tmp
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1172	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	wmfdist.exe
PID 1936 wrote to memory of 1676	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	SVideoBurner.exe
PID 1936 wrote to memory of 1676	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	SVideoBurner.exe
PID 1936 wrote to memory of 1676	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	SVideoBurner.exe
PID 1936 wrote to memory of 1676	1936	8bea4f035cf4c326ee29d659c87d6c05.tmp	SVideoBurner.exe

C:\Users\Admin\AppData\Local\Temp\8bea4f035cf4c326ee29d659c87d6c05.exe
"C:\Users\Admin\AppData\Local\Temp\8bea4f035cf4c326ee29d659c87d6c05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\is-JTEQT.tmp\8bea4f035cf4c326ee29d659c87d6c05.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTEQT.tmp\8bea4f035cf4c326ee29d659c87d6c05.tmp" /SL5="$3015A,10872031,790016,C:\Users\Admin\AppData\Local\Temp\8bea4f035cf4c326ee29d659c87d6c05.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
"C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe" /Q:A /R:N
3⤵
- Executes dropped EXE
PID:1172

C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
"C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe" 8bea4f035cf4c326ee29d659c87d6c05.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
MD5
03c2c38967b4f5acb30522cd2e3eac18

SHA1
749ebaf3ece54fc91dd1cee7a53ca7c698edb052

SHA256
0f2336b53c50faf8eb823ada2a5ae3e9c2dc86f3c9d0fa92761f4c0c41f964f5

SHA512
fb3e9418d72bd92f156883dcab5e228d8d1a762a89f76822a1d901a16f048e7eed15691c5fc262c8e1be879cecebc8d33232c3dbc1179e0716497d44ee3c822f

Download Submit
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTEQT.tmp\8bea4f035cf4c326ee29d659c87d6c05.tmp
MD5
bd5ba940935c395768d98cc2911a321c

SHA1
0ba748ce837d78527d920a5dac66c7600f97af71

SHA256
9acfdb224158ea8f006c5e7a249ee97e27da848ad45e11d425947183fa86131b

SHA512
17c96dda1f64beda671357831ff6d4f5354b66fb484943c0929ecec9f752de404a973f1e598dbc2739567f808283bd8189552ff597fc45d7df71c28e18e10c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTEQT.tmp\8bea4f035cf4c326ee29d659c87d6c05.tmp
MD5
bd5ba940935c395768d98cc2911a321c

SHA1
0ba748ce837d78527d920a5dac66c7600f97af71

SHA256
9acfdb224158ea8f006c5e7a249ee97e27da848ad45e11d425947183fa86131b

SHA512
17c96dda1f64beda671357831ff6d4f5354b66fb484943c0929ecec9f752de404a973f1e598dbc2739567f808283bd8189552ff597fc45d7df71c28e18e10c9b

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
MD5
03c2c38967b4f5acb30522cd2e3eac18

SHA1
749ebaf3ece54fc91dd1cee7a53ca7c698edb052

SHA256
0f2336b53c50faf8eb823ada2a5ae3e9c2dc86f3c9d0fa92761f4c0c41f964f5

SHA512
fb3e9418d72bd92f156883dcab5e228d8d1a762a89f76822a1d901a16f048e7eed15691c5fc262c8e1be879cecebc8d33232c3dbc1179e0716497d44ee3c822f

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe
MD5
03c2c38967b4f5acb30522cd2e3eac18

SHA1
749ebaf3ece54fc91dd1cee7a53ca7c698edb052

SHA256
0f2336b53c50faf8eb823ada2a5ae3e9c2dc86f3c9d0fa92761f4c0c41f964f5

SHA512
fb3e9418d72bd92f156883dcab5e228d8d1a762a89f76822a1d901a16f048e7eed15691c5fc262c8e1be879cecebc8d33232c3dbc1179e0716497d44ee3c822f

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
\Users\Admin\AppData\Local\Temp\is-JTEQT.tmp\8bea4f035cf4c326ee29d659c87d6c05.tmp
MD5
bd5ba940935c395768d98cc2911a321c

SHA1
0ba748ce837d78527d920a5dac66c7600f97af71

SHA256
9acfdb224158ea8f006c5e7a249ee97e27da848ad45e11d425947183fa86131b

SHA512
17c96dda1f64beda671357831ff6d4f5354b66fb484943c0929ecec9f752de404a973f1e598dbc2739567f808283bd8189552ff597fc45d7df71c28e18e10c9b

Download Submit
\Users\Admin\AppData\Local\Temp\is-TR96V.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-TR96V.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
memory/1172-8-0x0000000000000000-mapping.dmp

Download
memory/1676-12-0x0000000000000000-mapping.dmp

Download
memory/1676-16-0x0000000004B90000-0x0000000004BA1000-memory.dmp

Filesize
68KB

Download
memory/1676-17-0x0000000004FA0000-0x0000000004FB1000-memory.dmp

Filesize
68KB

Download
memory/1936-1-0x0000000000000000-mapping.dmp

Download