Overview

overview

8

Static

static

dvdfab_pla...15.exe

windows7_x64

8

dvdfab_pla...15.exe

windows10_x64

8

Resubmissions

23-09-2021 13:58

210923-raaz9aefc4 8

22-08-2021 12:57

210822-9mjev45vne 10

Analysis

  • max time kernel
    154s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-09-2021 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dvdfab_player_6115.exe

  • Size

    102.3MB

  • MD5

    12880e15e937216cb83b7a2cb328909e

  • SHA1

    56fec932ebad7b73b1629bd510416dc33a186ea3

  • SHA256

    fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f

  • SHA512

    2d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe
    "C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c
      2⤵
        PID:1164
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          -d 56007 TCP
          3⤵
            PID:1172
          • C:\Users\Admin\AppData\Local\Temp\revpe.exe
            -d 56007 TCP
            3⤵
            • Executes dropped EXE
            PID:1320
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            -a 10.10.0.23 56007 56007 TCP
            3⤵
              PID:1192
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              -d 56008 TCP
              3⤵
                PID:1428
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                -a 10.10.0.23 56008 56008 TCP
                3⤵
                  PID:3780
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe'" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3588
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe'" /f
                  3⤵
                  • Creates scheduled task(s)
                  PID:3800
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe" "C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe"
                2⤵
                  PID:3716
              • C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
                C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3016

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
                MD5

                155c243b26868df88e2d24779865f334

                SHA1

                7cb0b6384b29917cfd974b0a97637084f1cc4ad6

                SHA256

                ea781234cdfc94f5e16a603b8db16bc1a6f47d600f75f15ec10649b0dae243b9

                SHA512

                6840718a42f8a2e7c53f5a668acccfa30bce82ee36646991d4f5bda43d0fa5d1b412ee3ad7c526ca8aada714097b6b2b5c4487a7d74f260fdf85d80a7d4e7561

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
                MD5

                40c903815c97767f5356a18ff3ea35e2

                SHA1

                1a7097a27a5f0f3e2907e31f7b0906171da7a629

                SHA256

                b29f6c69aa0b10240d96a0f5b7a2b5b9ffb80515178ffff71cfe7454f7bd96d4

                SHA512

                0cd5f3e4fdecffe35a0f3592b5385563618c1f41605ff1485defd83a0803088beabd8da7f75ce6f21db83d576da83bb9a79a8918379c984ddc1a55f0e7b938c8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\revpe.exe
                MD5

                ca42e05f9d53c7ec9383307c1ea282bb

                SHA1

                ed0efa1b59b461dcda08121a39411bee72f6b4cb

                SHA256

                63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

                SHA512

                4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\revpe.exe
                MD5

                ca42e05f9d53c7ec9383307c1ea282bb

                SHA1

                ed0efa1b59b461dcda08121a39411bee72f6b4cb

                SHA256

                63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

                SHA512

                4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

                Download Submit

              • memory/664-114-0x0000000001030000-0x0000000001031000-memory.dmp

                Filesize

                4KB

                Download

              • memory/664-119-0x000000000BDA0000-0x000000000BDA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/664-118-0x000000000BA30000-0x000000000BA31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/664-117-0x000000000BA40000-0x000000000BA41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/664-116-0x000000000BF40000-0x000000000BF41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-120-0x0000000000000000-mapping.dmp

                Download

              • memory/1192-135-0x0000000000418F40-mapping.dmp

                Download

              • memory/1320-147-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/1320-131-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/1320-132-0x0000000000418F40-mapping.dmp

                Download

              • memory/1364-121-0x0000000000400000-0x00000000005F7000-memory.dmp

                Filesize

                2.0MB

                Download

              • memory/1364-130-0x0000000007810000-0x0000000008810000-memory.dmp

                Filesize

                16.0MB

                Download

              • memory/1364-125-0x0000000000400000-0x00000000005F7000-memory.dmp

                Filesize

                2.0MB

                Download

              • memory/1364-122-0x00000000005F5A70-mapping.dmp

                Download

              • memory/1428-137-0x0000000000418F40-mapping.dmp

                Download

              • memory/3016-153-0x0000000000190000-0x0000000000191000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3016-158-0x000000000B0F0000-0x000000000B0F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3588-148-0x0000000000000000-mapping.dmp

                Download

              • memory/3716-149-0x0000000000000000-mapping.dmp

                Download

              • memory/3780-141-0x0000000000418F40-mapping.dmp

                Download

              • memory/3800-150-0x0000000000000000-mapping.dmp

                Download