Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
dvdfab_player_6115.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dvdfab_player_6115.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
dvdfab_player_6115.exe
-
Size
102.3MB
-
MD5
12880e15e937216cb83b7a2cb328909e
-
SHA1
56fec932ebad7b73b1629bd510416dc33a186ea3
-
SHA256
fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
-
SHA512
2d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/992-58-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral1/memory/992-61-0x0000000000400000-0x00000000005F7000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 968 set thread context of 992 968 dvdfab_player_6115.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 968 dvdfab_player_6115.exe Token: SeDebugPrivilege 992 AppLaunch.exe Token: SeShutdownPrivilege 992 AppLaunch.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 968 wrote to memory of 516 968 dvdfab_player_6115.exe 29 PID 968 wrote to memory of 516 968 dvdfab_player_6115.exe 29 PID 968 wrote to memory of 516 968 dvdfab_player_6115.exe 29 PID 968 wrote to memory of 516 968 dvdfab_player_6115.exe 29 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31 PID 968 wrote to memory of 992 968 dvdfab_player_6115.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe"C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c2⤵PID:516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:992
-