5bc55a28df511497fef465f3127424ec2ef9dc6f0ba465e3491156102a6b01a4

Resubmissions

23-09-2021 13:58

210923-raaz9aefc4 8

22-08-2021 12:57

210822-9mjev45vne 10

Analysis

max time kernel
154s
max time network
163s
platform
windows10_x64
resource
win10v20210408
submitted
23-09-2021 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dvdfab_player_6115.exe
Size

102.3MB
MD5

12880e15e937216cb83b7a2cb328909e
SHA1

56fec932ebad7b73b1629bd510416dc33a186ea3
SHA256

fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
SHA512

2d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1320	revpe.exe
3016	keygen.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1364-121-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/1364-125-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/1320-131-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1320-147-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exeꐀ"	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe\u2000"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe케"	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe\uff00"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe\u2000"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe\uf800"	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe\uf800"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exe케"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WM-f6ff = "C:\\Users\\Admin\\AppData\\Roaming\\WM-f6ff.exeꐀ"	AppLaunch.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 1364	664	dvdfab_player_6115.exe	70
PID 1364 set thread context of 1320	1364	AppLaunch.exe	79
PID 1364 set thread context of 1192	1364	AppLaunch.exe	80
PID 1364 set thread context of 1428	1364	AppLaunch.exe	81
PID 1364 set thread context of 3780	1364	AppLaunch.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3800	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	dvdfab_player_6115.exe
Token: SeShutdownPrivilege	1364	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1364	AppLaunch.exe
Token: SeDebugPrivilege	3016	keygen.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	AppLaunch.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 1164	664	dvdfab_player_6115.exe	68
PID 664 wrote to memory of 1164	664	dvdfab_player_6115.exe	68
PID 664 wrote to memory of 1164	664	dvdfab_player_6115.exe	68
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 664 wrote to memory of 1364	664	dvdfab_player_6115.exe	70
PID 1364 wrote to memory of 1172	1364	AppLaunch.exe	78
PID 1364 wrote to memory of 1172	1364	AppLaunch.exe	78
PID 1364 wrote to memory of 1172	1364	AppLaunch.exe	78
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1320	1364	AppLaunch.exe	79
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1192	1364	AppLaunch.exe	80
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 1428	1364	AppLaunch.exe	81
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 1364 wrote to memory of 3780	1364	AppLaunch.exe	85
PID 664 wrote to memory of 3588	664	dvdfab_player_6115.exe	87
PID 664 wrote to memory of 3588	664	dvdfab_player_6115.exe	87
PID 664 wrote to memory of 3588	664	dvdfab_player_6115.exe	87
PID 664 wrote to memory of 3716	664	dvdfab_player_6115.exe	89
PID 664 wrote to memory of 3716	664	dvdfab_player_6115.exe	89
PID 664 wrote to memory of 3716	664	dvdfab_player_6115.exe	89
PID 3588 wrote to memory of 3800	3588	cmd.exe	91
PID 3588 wrote to memory of 3800	3588	cmd.exe	91
PID 3588 wrote to memory of 3800	3588	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe
"C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    -d 56007 TCP
    3⤵
    PID:1172
- - C:\Users\Admin\AppData\Local\Temp\revpe.exe
    -d 56007 TCP
    3⤵
    - Executes dropped EXE
    PID:1320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    -a 10.10.0.23 56007 56007 TCP
    3⤵
    PID:1192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    -d 56008 TCP
    3⤵
    PID:1428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    -a 10.10.0.23 56008 56008 TCP
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe" "C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe"
  2⤵
  PID:3716

C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-114-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/664-119-0x000000000BDA0000-0x000000000BDA1000-memory.dmp

Filesize
4KB

Download
memory/664-118-0x000000000BA30000-0x000000000BA31000-memory.dmp

Filesize
4KB

Download
memory/664-117-0x000000000BA40000-0x000000000BA41000-memory.dmp

Filesize
4KB

Download
memory/664-116-0x000000000BF40000-0x000000000BF41000-memory.dmp

Filesize
4KB

Download
memory/1320-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1320-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1364-121-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1364-130-0x0000000007810000-0x0000000008810000-memory.dmp

Filesize
16.0MB

Download
memory/1364-125-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/3016-153-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3016-158-0x000000000B0F0000-0x000000000B0F1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads