ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17

Analysis

max time kernel
37s
max time network
40s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-06-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe
Size

1.5MB
MD5

b2317be6c410056eb33e86a3111ac6c3
SHA1

42b70cc66a35a23b901084888e7623f9e0c2f982
SHA256

ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17
SHA512

4c5b05869144b0c3e05fe2bda3bbd0d0da54ff6dc4d3baf937abb20f4543a628d3129a85fc671f5e413678ddf2f8b0449ca6dabbefa501d8070c07cf46640b38

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine	ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1788-54-0x0000000000400000-0x0000000000731000-memory.dmp	themida
behavioral1/memory/1788-56-0x0000000000400000-0x0000000000731000-memory.dmp	themida
behavioral1/memory/1788-57-0x0000000000400000-0x0000000000731000-memory.dmp	themida

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe

pid process

1788 ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe

pid	process
1788	ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe

C:\Users\Admin\AppData\Local\Temp\ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe
"C:\Users\Admin\AppData\Local\Temp\ff1fb2905a6c8ebc94a0a150adef25f15335d66cb4601ce0ce534a4f09654a17.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-54-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-55-0x00000000002F0000-0x00000000003D8000-memory.dmp

Filesize
928KB

Download
memory/1788-56-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1788-57-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads