b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

General

Target

0x00050000000130d8-77.exe
Size

519KB
MD5

6103ca066cd5345ec41feaf1a0fdadaf
SHA1

938acc555933ee4887629048be4b11df76bb8de8
SHA256

b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512

a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3
SSDEEP

12288:GQi3o0Cm+A2YJ2c4eIIiH/YKXV0e6O6KnqgFhUExj/MQhMyqnAR6/y:GQi40sAy/Ll0yDqOhJRM+Mi8K

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1292	0x00050000000130d8-77.tmp
4700	UltraMediaBurner.exe
1136	UltraMediaBurner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\is-80PNC.tmp	0x00050000000130d8-77.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	0x00050000000130d8-77.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	0x00050000000130d8-77.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	0x00050000000130d8-77.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-IIF0E.tmp	0x00050000000130d8-77.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	0x00050000000130d8-77.tmp
1292	0x00050000000130d8-77.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1292	0x00050000000130d8-77.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1292	1220	0x00050000000130d8-77.exe	80
PID 1220 wrote to memory of 1292	1220	0x00050000000130d8-77.exe	80
PID 1220 wrote to memory of 1292	1220	0x00050000000130d8-77.exe	80
PID 1292 wrote to memory of 4700	1292	0x00050000000130d8-77.tmp	82
PID 1292 wrote to memory of 4700	1292	0x00050000000130d8-77.tmp	82
PID 1292 wrote to memory of 1136	1292	0x00050000000130d8-77.tmp	84
PID 1292 wrote to memory of 1136	1292	0x00050000000130d8-77.tmp	84

C:\Users\Admin\AppData\Local\Temp\0x00050000000130d8-77.exe
"C:\Users\Admin\AppData\Local\Temp\0x00050000000130d8-77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\is-GGM93.tmp\0x00050000000130d8-77.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GGM93.tmp\0x00050000000130d8-77.tmp" /SL5="$4022C,281924,62464,C:\Users\Admin\AppData\Local\Temp\0x00050000000130d8-77.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
    "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
    3⤵
    - Executes dropped EXE
    PID:4700
- - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
    "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"
    3⤵
    - Executes dropped EXE
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

Filesize
370KB

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\UltraMediaBurner.exe.log

Filesize
491B

MD5
b637e9d3c0b04396ba66bae263a62931

SHA1
a08f6f55c7f46e8f2eedc54895a79e2433f1a52a

SHA256
1fdc81198fa4bef0b1dca2809192db31a2960693129bd2e2cd4b14e39414ecc6

SHA512
00699da7498e02e680f7dbbc71bd1bc77666248c06ffa16d704679711ea572e1e73d2ce28471235e5806b2fe621dfbe53637171b00beb62006d0722b26b0b183

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GGM93.tmp\0x00050000000130d8-77.tmp

Filesize
700KB

MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
memory/1136-51-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/1136-46-0x00007FFD46520000-0x00007FFD46EC1000-memory.dmp

Filesize
9.6MB

Download
memory/1136-53-0x00007FFD46520000-0x00007FFD46EC1000-memory.dmp

Filesize
9.6MB

Download
memory/1136-52-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/1136-45-0x0000000001720000-0x0000000001730000-memory.dmp

Filesize
64KB

Download
memory/1136-44-0x00007FFD46520000-0x00007FFD46EC1000-memory.dmp

Filesize
9.6MB

Download
memory/1220-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1220-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1220-50-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1220-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1292-49-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1292-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1292-41-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1292-6-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1292-37-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4700-28-0x000000001C710000-0x000000001C7AC000-memory.dmp

Filesize
624KB

Download
memory/4700-40-0x00007FFD46520000-0x00007FFD46EC1000-memory.dmp

Filesize
9.6MB

Download
memory/4700-36-0x000000001C990000-0x000000001C9A9000-memory.dmp

Filesize
100KB

Download
memory/4700-35-0x0000000001890000-0x00000000018A0000-memory.dmp

Filesize
64KB

Download
memory/4700-34-0x0000000001890000-0x00000000018A0000-memory.dmp

Filesize
64KB

Download
memory/4700-31-0x0000000001740000-0x0000000001748000-memory.dmp

Filesize
32KB

Download
memory/4700-30-0x00007FFD46520000-0x00007FFD46EC1000-memory.dmp

Filesize
9.6MB

Download
memory/4700-29-0x0000000001890000-0x00000000018A0000-memory.dmp

Filesize
64KB

Download
memory/4700-27-0x00007FFD46520000-0x00007FFD46EC1000-memory.dmp

Filesize
9.6MB

Download
memory/4700-26-0x000000001C240000-0x000000001C70E000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing