8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e

Analysis

max time kernel
75s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
Size

3.4MB
MD5

8ed572bc057331b9ce5c019ad3990748
SHA1

e9b6261a6803dcd4b83efd6556ffe3d2e4e37486
SHA256

8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e
SHA512

723c0bed17dd467e13d2d7b7f3dd6c94a8ed5afef2e80b0e73ba905dfc899191af78f7e8c80f9f64843674609012e656a3448302f7ab3f9c9f6db250e2e3325f
SSDEEP

98304:6wI89wPuTeaKVaGOjqOeOicO7zLDfgV5l:u8oWkgjqOeOicO7zXa

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1064	updater.exe
468	SetupAnyDVD6469.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/856-55-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/856-56-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/files/0x0007000000014129-66.dat	upx
behavioral1/memory/856-67-0x00000000030F0000-0x0000000003118000-memory.dmp	upx
behavioral1/files/0x0007000000014129-69.dat	upx
behavioral1/files/0x0007000000014129-68.dat	upx
behavioral1/files/0x0007000000014129-71.dat	upx
behavioral1/memory/468-74-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/856-75-0x00000000030E0000-0x0000000003144000-memory.dmp	upx
behavioral1/memory/856-76-0x00000000030F0000-0x0000000003154000-memory.dmp	upx
behavioral1/memory/856-77-0x00000000030F0000-0x0000000003154000-memory.dmp	upx
behavioral1/files/0x0007000000014129-79.dat	upx
behavioral1/memory/856-87-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/468-92-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1064-93-0x0000000000240000-0x00000000002A4000-memory.dmp	upx

Loads dropped DLL 12 IoCs

pid	Process
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
1064	updater.exe
1064	updater.exe
1064	updater.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1500	1064	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 1064	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	28
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 856 wrote to memory of 468	856	8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe	29
PID 1064 wrote to memory of 1500	1064	updater.exe	30
PID 1064 wrote to memory of 1500	1064	updater.exe	30
PID 1064 wrote to memory of 1500	1064	updater.exe	30
PID 1064 wrote to memory of 1500	1064	updater.exe	30
PID 1064 wrote to memory of 1500	1064	updater.exe	30
PID 1064 wrote to memory of 1500	1064	updater.exe	30
PID 1064 wrote to memory of 1500	1064	updater.exe	30

C:\Users\Admin\AppData\Local\Temp\8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe
"C:\Users\Admin\AppData\Local\Temp\8fc23c94d4653cadc175ef99f4bd12b599e77ae7eda2c5b82283ff000d4f238e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe"
  2⤵
  - Executes dropped EXE
  PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe

Filesize
2.5MB

MD5
5ba468febafbd7f28a6e61c9a811176a

SHA1
1e4915baeca1898ef8f6ac68ecda87ea60886203

SHA256
db31c417c98c5c42b295e74b7e0de9963eb0549431eafbbbd203bb76c5b41e9e

SHA512
5a51b41b6349f3725dc4f8bc38fa92e6618c9932557a2244641b5526dfba237f1763ca0691f1eb2bf0a69b30091857a000528e83528589c27ae630915094d7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe

Filesize
2.5MB

MD5
5ba468febafbd7f28a6e61c9a811176a

SHA1
1e4915baeca1898ef8f6ac68ecda87ea60886203

SHA256
db31c417c98c5c42b295e74b7e0de9963eb0549431eafbbbd203bb76c5b41e9e

SHA512
5a51b41b6349f3725dc4f8bc38fa92e6618c9932557a2244641b5526dfba237f1763ca0691f1eb2bf0a69b30091857a000528e83528589c27ae630915094d7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe

Filesize
2.5MB

MD5
5ba468febafbd7f28a6e61c9a811176a

SHA1
1e4915baeca1898ef8f6ac68ecda87ea60886203

SHA256
db31c417c98c5c42b295e74b7e0de9963eb0549431eafbbbd203bb76c5b41e9e

SHA512
5a51b41b6349f3725dc4f8bc38fa92e6618c9932557a2244641b5526dfba237f1763ca0691f1eb2bf0a69b30091857a000528e83528589c27ae630915094d7ea

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe

Filesize
2.5MB

MD5
5ba468febafbd7f28a6e61c9a811176a

SHA1
1e4915baeca1898ef8f6ac68ecda87ea60886203

SHA256
db31c417c98c5c42b295e74b7e0de9963eb0549431eafbbbd203bb76c5b41e9e

SHA512
5a51b41b6349f3725dc4f8bc38fa92e6618c9932557a2244641b5526dfba237f1763ca0691f1eb2bf0a69b30091857a000528e83528589c27ae630915094d7ea

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\SetupAnyDVD6469.exe

Filesize
2.5MB

MD5
5ba468febafbd7f28a6e61c9a811176a

SHA1
1e4915baeca1898ef8f6ac68ecda87ea60886203

SHA256
db31c417c98c5c42b295e74b7e0de9963eb0549431eafbbbd203bb76c5b41e9e

SHA512
5a51b41b6349f3725dc4f8bc38fa92e6618c9932557a2244641b5526dfba237f1763ca0691f1eb2bf0a69b30091857a000528e83528589c27ae630915094d7ea

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\updater.exe

Filesize
389KB

MD5
5f6abc2ba46e8a3edc2770fe71a9faf2

SHA1
75c08e4333b53f4085a8c7e2f7cd381d80749181

SHA256
33fe6d875282a66ddd6259e380c42c9a4e74777bf307cd697289d6050ead753c

SHA512
ca394b518af4493b080c2dd6f9eabdc524265a423ea0cb7585417d06c9c789b7463fb3acb1478d556679371cf549e1cfc83abd2c84162956e8ade0975b0a13af

Download Submit
memory/468-74-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/468-92-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/856-72-0x0000000003100000-0x0000000003128000-memory.dmp

Filesize
160KB

Download
memory/856-87-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/856-76-0x00000000030F0000-0x0000000003154000-memory.dmp

Filesize
400KB

Download
memory/856-77-0x00000000030F0000-0x0000000003154000-memory.dmp

Filesize
400KB

Download
memory/856-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/856-73-0x0000000003100000-0x0000000003128000-memory.dmp

Filesize
160KB

Download
memory/856-67-0x00000000030F0000-0x0000000003118000-memory.dmp

Filesize
160KB

Download
memory/856-55-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/856-56-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/856-75-0x00000000030E0000-0x0000000003144000-memory.dmp

Filesize
400KB

Download
memory/856-61-0x00000000030F0000-0x0000000003154000-memory.dmp

Filesize
400KB

Download
memory/856-60-0x00000000030E0000-0x0000000003144000-memory.dmp

Filesize
400KB

Download
memory/1064-88-0x0000000000240000-0x00000000002A4000-memory.dmp

Filesize
400KB

Download
memory/1064-89-0x0000000000240000-0x00000000002A4000-memory.dmp

Filesize
400KB

Download
memory/1064-91-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1064-65-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1064-93-0x0000000000240000-0x00000000002A4000-memory.dmp

Filesize
400KB

Download