Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
b911f3ccc39031fc77b5b5dc15e8c4c10642edb961e5dd1799bbae80888d5471.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
b911f3ccc39031fc77b5b5dc15e8c4c10642edb961e5dd1799bbae80888d5471.dll
-
Size
648KB
-
MD5
47cf2312142053973478a73c2221eea6
-
SHA1
6b50b6c1bb38de64ab2835387043e70e7add744f
-
SHA256
b911f3ccc39031fc77b5b5dc15e8c4c10642edb961e5dd1799bbae80888d5471
-
SHA512
5a41a77798991958097616fa5959f4ea39ca370a7513179f96c9a03524252690084a4a50b290148327aa9b8b8af88d24d2ea218dbfac47ac5b1b7cd7584efcb3
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/3936-131-0x0000000010000000-0x00000000100A3000-memory.dmp themida behavioral2/memory/3936-134-0x0000000010000000-0x00000000100A3000-memory.dmp themida -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2712 wrote to memory of 3936 2712 rundll32.exe rundll32.exe PID 2712 wrote to memory of 3936 2712 rundll32.exe rundll32.exe PID 2712 wrote to memory of 3936 2712 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b911f3ccc39031fc77b5b5dc15e8c4c10642edb961e5dd1799bbae80888d5471.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b911f3ccc39031fc77b5b5dc15e8c4c10642edb961e5dd1799bbae80888d5471.dll,#12⤵
- Identifies Wine through registry keys
PID:3936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3936-130-0x0000000000000000-mapping.dmp
-
memory/3936-131-0x0000000010000000-0x00000000100A3000-memory.dmpFilesize
652KB
-
memory/3936-132-0x0000000002D20000-0x0000000002DBD000-memory.dmpFilesize
628KB
-
memory/3936-133-0x0000000002E90000-0x000000000302E000-memory.dmpFilesize
1.6MB
-
memory/3936-134-0x0000000010000000-0x00000000100A3000-memory.dmpFilesize
652KB