63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d

Analysis

max time kernel
160s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-07-2022 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe
Size

2.9MB
MD5

496334838840d313341bb904378c0484
SHA1

3bf21a6b3c70861101810c1b695e6be30f41497a
SHA256

63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d
SHA512

0c443798bdfd9e718c8ad5c04c6d835649b0304c34b8d52cbe34a3c008de11771360dd76b38f89737aed8b855efd232e8a3496f4db74ebbc73a3e44ad22e236d

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine	63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2436-130-0x0000000001000000-0x00000000012F1000-memory.dmp	themida
behavioral2/memory/2436-131-0x0000000001000000-0x00000000012F1000-memory.dmp	themida

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2676	2436	WerFault.exe	63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe
4604	2436	WerFault.exe	63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe

C:\Users\Admin\AppData\Local\Temp\63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe
"C:\Users\Admin\AppData\Local\Temp\63e0a965c53778faf5756e0e942f0723fb38b7ec6baf9f9447667ba80b5a0a8d.exe"
1⤵
- Identifies Wine through registry keys
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 288
2⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 308
2⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2436 -ip 2436
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2436 -ip 2436
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-130-0x0000000001000000-0x00000000012F1000-memory.dmp

Filesize
2.9MB

Download
memory/2436-131-0x0000000001000000-0x00000000012F1000-memory.dmp

Filesize
2.9MB

Download