bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e

Analysis

max time kernel
77s
max time network
127s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
Size

3.1MB
MD5

ad796cddffda8d111ba71bafc09473e6
SHA1

48069f57d229ede3d4999591bfa0204a56815a74
SHA256

bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e
SHA512

b27831fee3250a92aa4be4b7c65aae91cb239803e3045e8027fd9e0c5b1e6813e9e71dc92013f98bf8dfd8ba74c929af4586fad8c0a628ce5e89b0efa25e2134
SSDEEP

49152:3LBT/nj3GHEvytnxr+QFpf2w8btDJtZ/1yYorfS6AT9yLEBCxGPJ2Tpohpu:3FjWQQFp3EJJtZ/cr1BATcGy

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000142c9-57.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1752	hh123.exe
1032	svchosb.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000142c9-57.dat	upx
behavioral1/memory/2028-58-0x00000000025C0000-0x000000000262A000-memory.dmp	upx
behavioral1/memory/2028-85-0x00000000025C0000-0x000000000262A000-memory.dmp	upx

Loads dropped DLL 10 IoCs

pid	Process
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchosb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\svchosb.exe"	svchosb.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchosb.exe	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
File opened for modification	C:\Windows\SysWOW64\svchosb.exe	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
File created	C:\Windows\SysWOW64\svchosb.exe	svchosb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\server.txt	svchosb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
1752	hh123.exe
1752	hh123.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	676	AUDIODG.EXE
Token: 33	676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	676	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1752	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	29
PID 2028 wrote to memory of 1752	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	29
PID 2028 wrote to memory of 1752	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	29
PID 2028 wrote to memory of 1752	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	29
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30
PID 2028 wrote to memory of 1032	2028	bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe	30

C:\Users\Admin\AppData\Local\Temp\bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe
"C:\Users\Admin\AppData\Local\Temp\bb19f53b753eff2296d33a36eb4f78c68db58a16e8ba705314bab9323d53f59e.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe" killprocess svchosb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Windows\SysWOW64\svchosb.exe
  "C:\Windows\system32\svchosb.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe

Filesize
32KB

MD5
bb6c6f99dfa35d705592909772f1e261

SHA1
2ed55e5210b4e662c8bddc0dfdce06ab781f58b3

SHA256
66f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1

SHA512
96244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c

Download Submit
C:\Windows\SysWOW64\svchosb.exe

Filesize
187KB

MD5
29fd6bf2fc8522976b419cc535bd6414

SHA1
70e73681cd6e1e654211990fec65839a7bfa6931

SHA256
85002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841

SHA512
ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a

Download Submit
C:\Windows\SysWOW64\svchosb.exe

Filesize
187KB

MD5
29fd6bf2fc8522976b419cc535bd6414

SHA1
70e73681cd6e1e654211990fec65839a7bfa6931

SHA256
85002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841

SHA512
ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\MMBMisc.dll

Filesize
160KB

MD5
aac005d1197cba6c0f9a725c889d489d

SHA1
b31f7126dd1aea03d58cd33a6b9a49685471a5e2

SHA256
a584007ac2173048bb8f6e94022b661dc955105d39fcb206d7df339abfee661d

SHA512
b88331674f869221724361afcb687d4104ce9381f074b67816af13110365e2ff055d5e31638e868c1d5ca0c871d87da69fb6eba3daca097b104ed9ccf0a89e8f

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe

Filesize
32KB

MD5
bb6c6f99dfa35d705592909772f1e261

SHA1
2ed55e5210b4e662c8bddc0dfdce06ab781f58b3

SHA256
66f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1

SHA512
96244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe

Filesize
32KB

MD5
bb6c6f99dfa35d705592909772f1e261

SHA1
2ed55e5210b4e662c8bddc0dfdce06ab781f58b3

SHA256
66f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1

SHA512
96244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe

Filesize
32KB

MD5
bb6c6f99dfa35d705592909772f1e261

SHA1
2ed55e5210b4e662c8bddc0dfdce06ab781f58b3

SHA256
66f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1

SHA512
96244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe

Filesize
32KB

MD5
bb6c6f99dfa35d705592909772f1e261

SHA1
2ed55e5210b4e662c8bddc0dfdce06ab781f58b3

SHA256
66f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1

SHA512
96244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\hh123.exe

Filesize
32KB

MD5
bb6c6f99dfa35d705592909772f1e261

SHA1
2ed55e5210b4e662c8bddc0dfdce06ab781f58b3

SHA256
66f63fabc82ffa2d4a3821cb21243dce42e279bb5d795b45ff50ddec700826e1

SHA512
96244d07c4788f7b743e682073de3840fbec39d54f3996157aba405bab2deac2625af1962dc86e6c968c064c3698b45adfa47e9b4e6074bf2014b4f79ff1004c

Download Submit
\Windows\SysWOW64\svchosb.exe

Filesize
187KB

MD5
29fd6bf2fc8522976b419cc535bd6414

SHA1
70e73681cd6e1e654211990fec65839a7bfa6931

SHA256
85002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841

SHA512
ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a

Download Submit
\Windows\SysWOW64\svchosb.exe

Filesize
187KB

MD5
29fd6bf2fc8522976b419cc535bd6414

SHA1
70e73681cd6e1e654211990fec65839a7bfa6931

SHA256
85002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841

SHA512
ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a

Download Submit
\Windows\SysWOW64\svchosb.exe

Filesize
187KB

MD5
29fd6bf2fc8522976b419cc535bd6414

SHA1
70e73681cd6e1e654211990fec65839a7bfa6931

SHA256
85002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841

SHA512
ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a

Download Submit
\Windows\SysWOW64\svchosb.exe

Filesize
187KB

MD5
29fd6bf2fc8522976b419cc535bd6414

SHA1
70e73681cd6e1e654211990fec65839a7bfa6931

SHA256
85002cb7166742c73ca55d93d2c0b1542b82f00968e3e22decff6acb7bd66841

SHA512
ed546285c40c804248b9735cad1903cc494d62f32bed51b0ace2c2c4956620fce0c32e322db87ee246ba2a6e3b7cffb748cd8d2dd06bd84da37dfa6aef5f200a

Download Submit
memory/1032-94-0x0000000000400000-0x00000000004A2A4C-memory.dmp

Filesize
650KB

Download
memory/1032-84-0x0000000000400000-0x00000000004A2A4C-memory.dmp

Filesize
650KB

Download
memory/1752-69-0x0000000000400000-0x000000000041A684-memory.dmp

Filesize
105KB

Download
memory/2028-55-0x0000000000400000-0x000000000060D290-memory.dmp

Filesize
2.1MB

Download
memory/2028-85-0x00000000025C0000-0x000000000262A000-memory.dmp

Filesize
424KB

Download
memory/2028-72-0x0000000003F40000-0x0000000003F5B000-memory.dmp

Filesize
108KB

Download
memory/2028-56-0x0000000000400000-0x000000000060D290-memory.dmp

Filesize
2.1MB

Download
memory/2028-66-0x0000000003F30000-0x0000000003F4B000-memory.dmp

Filesize
108KB

Download
memory/2028-68-0x0000000003F30000-0x0000000003F4B000-memory.dmp

Filesize
108KB

Download
memory/2028-58-0x00000000025C0000-0x000000000262A000-memory.dmp

Filesize
424KB

Download
memory/2028-81-0x0000000004040000-0x00000000040E3000-memory.dmp

Filesize
652KB

Download
memory/2028-83-0x0000000004050000-0x00000000040F3000-memory.dmp

Filesize
652KB

Download
memory/2028-82-0x0000000004050000-0x00000000040F3000-memory.dmp

Filesize
652KB

Download
memory/2028-71-0x0000000003F40000-0x0000000003F5B000-memory.dmp

Filesize
108KB

Download
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2028-89-0x0000000003F40000-0x0000000003F5B000-memory.dmp

Filesize
108KB

Download
memory/2028-90-0x0000000003F40000-0x0000000003F5B000-memory.dmp

Filesize
108KB

Download
memory/2028-88-0x0000000003F40000-0x0000000003F5B000-memory.dmp

Filesize
108KB

Download
memory/2028-87-0x0000000003F30000-0x0000000003F4B000-memory.dmp

Filesize
108KB

Download
memory/2028-86-0x0000000003F30000-0x0000000003F4B000-memory.dmp

Filesize
108KB

Download
memory/2028-91-0x0000000004040000-0x00000000040E3000-memory.dmp

Filesize
652KB

Download
memory/2028-92-0x0000000004050000-0x00000000040F3000-memory.dmp

Filesize
652KB

Download
memory/2028-93-0x0000000000400000-0x000000000060D290-memory.dmp

Filesize
2.1MB

Download
memory/2028-70-0x0000000003F40000-0x0000000003F5B000-memory.dmp

Filesize
108KB

Download