e6cbb4706fb31041181fa95a2451e694b8fe14adf4875dde4a9b94a99d9fae78

General

Target

ABurnStudioSetup.exe
Size

4.3MB
MD5

8b4f435f28c34e474df3a57001115d89
SHA1

6ac32b0aa50599189aaa9576a4f708cf6be549d2
SHA256

e6cbb4706fb31041181fa95a2451e694b8fe14adf4875dde4a9b94a99d9fae78
SHA512

f995d9277656900f7950ab4aa0c87b8ad9b8fcaec39d3841d0bd6fe9a5d29576cc97876bbefeb7a5b6639b1958b4d229f07e07144c1e1271a5f54fc519cbec14
SSDEEP

98304:z5t9DI9Z/LDYDG1WheMKIMi0EQXnEsdg0hrv3nEujWlQQXp:3Rw/oaYkv15EQXEfkv3mlVZ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3816	ABurnStudioSetup.tmp
4524	ABurnStudio.exe

Loads dropped DLL 3 IoCs

pid	Process
4524	ABurnStudio.exe
4524	ABurnStudio.exe
4524	ABurnStudio.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ABurnStudio.exe
File opened (read-only)	\??\B:	ABurnStudio.exe
File opened (read-only)	\??\D:	ABurnStudio.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Asoftis Burning Studio\unins000.dat	ABurnStudioSetup.tmp
File opened for modification	C:\Program Files (x86)\Asoftis Burning Studio\ssleay32.dll	ABurnStudioSetup.tmp
File opened for modification	C:\Program Files (x86)\Asoftis Burning Studio\FoxPlayerU32.dll	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\unins000.dat	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\is-NI873.tmp	ABurnStudioSetup.tmp
File opened for modification	C:\Program Files (x86)\Asoftis Burning Studio\libeay32.dll	ABurnStudioSetup.tmp
File opened for modification	C:\Program Files (x86)\Asoftis Burning Studio\ABurnStudio.dll	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\is-NG0MK.tmp	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\is-39GNB.tmp	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\is-9B485.tmp	ABurnStudioSetup.tmp
File opened for modification	C:\Program Files (x86)\Asoftis Burning Studio\ABurnStudio.exe	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\is-7R0P0.tmp	ABurnStudioSetup.tmp
File created	C:\Program Files (x86)\Asoftis Burning Studio\is-QEFQ1.tmp	ABurnStudioSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABurnStudioSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABurnStudioSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABurnStudio.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = e204000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ABurnStudio.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\International\CpMRU	ABurnStudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	ABurnStudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	ABurnStudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	ABurnStudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	ABurnStudio.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ABurnStudio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ABurnStudio.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3816	ABurnStudioSetup.tmp
3816	ABurnStudioSetup.tmp
4524	ABurnStudio.exe
4524	ABurnStudio.exe
4524	ABurnStudio.exe
4524	ABurnStudio.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3816	ABurnStudioSetup.tmp
4524	ABurnStudio.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4524	ABurnStudio.exe
4524	ABurnStudio.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3816	1596	ABurnStudioSetup.exe	81
PID 1596 wrote to memory of 3816	1596	ABurnStudioSetup.exe	81
PID 1596 wrote to memory of 3816	1596	ABurnStudioSetup.exe	81
PID 3816 wrote to memory of 4524	3816	ABurnStudioSetup.tmp	83
PID 3816 wrote to memory of 4524	3816	ABurnStudioSetup.tmp	83
PID 3816 wrote to memory of 4524	3816	ABurnStudioSetup.tmp	83

C:\Users\Admin\AppData\Local\Temp\ABurnStudioSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ABurnStudioSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\is-89CMN.tmp\ABurnStudioSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-89CMN.tmp\ABurnStudioSetup.tmp" /SL5="$30178,4232451,57856,C:\Users\Admin\AppData\Local\Temp\ABurnStudioSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Program Files (x86)\Asoftis Burning Studio\ABurnStudio.exe
    "C:\Program Files (x86)\Asoftis Burning Studio\ABurnStudio.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Asoftis Burning Studio\ABurnStudio.dll

Filesize
2.9MB

MD5
25e0bf4889612fc23561d79c942ada1c

SHA1
f9428cc4f4a9640a244875687178b43a74f4211e

SHA256
3a69e8fa1426b7cc4b837875c0bb5ca19f6b93fe49172f3e2dfa14256fd32d30

SHA512
8c4f6608b2e9930d38b8064a881b7a849b2f8f2222dfcd8915bf137a8ab4a616db56fc784c80600036dbcaa0351946171f17cd7160a8295a2310eed0efa9677d

Download Submit
C:\Program Files (x86)\Asoftis Burning Studio\ABurnStudio.exe

Filesize
7.0MB

MD5
534873114b2a12293620d5bb0abfbc77

SHA1
dd727b2fce766a5d2af3c731968c118426ab6797

SHA256
a001baec39c82c821abdd496e9a03b404124a639759e552bc4099ea4bfea4138

SHA512
108b3032999b82b9ee47f11211cf4fb31ac4c9ca8635dc1d0dc909fddcc4c797c4f6236ef6807a290f155532c0486bba3f5311ae314b104da9a1bb7c0334ddaf

Download Submit
C:\Program Files (x86)\Asoftis Burning Studio\libeay32.dll

Filesize
1.3MB

MD5
a49a014a9285a33bfefc7cb595e2c7cf

SHA1
5b42790b3519a93dbaba97cc5efaaf96fdc74294

SHA256
81f9c7c0fd82f4e3b715b392b6cbb10b649e85b063c2a5d0785c6e2632136a3d

SHA512
d0fd45d38600500fd2bbb6c156e96a6edc92aaab6c80d9d959295525ee58f9abc7e7292ad3c7bf18188c10fdc5b176039dc87ed43e4912f11e5f26635ef7de05

Download Submit
C:\Program Files (x86)\Asoftis Burning Studio\ssleay32.dll

Filesize
351KB

MD5
8835f3b80692c28fc445c4723e2c887b

SHA1
7e9377211d54dddd97fa719f910ea57729d1308e

SHA256
047bb5cea8119c477990059953129f6789492e34ce11e8a7f383350dcc13a3ae

SHA512
fbdf9df09b95191106b465f9687153cb1747d5d7b701426a4ec8008cf29451903e1246c5f7a0c4f4916220dcad3c4a7f6c1e54aab325371766cc3a7f7564b466

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-89CMN.tmp\ABurnStudioSetup.tmp

Filesize
697KB

MD5
832dab307e54aa08f4b6cdd9b9720361

SHA1
ebd007fb7482040ecf34339e4bf917209c1018df

SHA256
cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3

SHA512
358d43522fd460eb1511708e4df22ea454a95e5bc3c4841931027b5fa3fb1dda05d496d8ad0a8b9279b99e6be74220fe243db8f08ef49845e9fb35c350ef4b49

Download Submit
memory/1596-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1596-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1596-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3816-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3816-38-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4524-33-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4524-50-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4524-52-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing