Analysis
-
max time kernel
158s -
max time network
197s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe
Resource
win7-20220414-en
General
-
Target
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe
-
Size
704KB
-
MD5
46fc7f8fe6baa4ad25bac4facbde8c8e
-
SHA1
38d7b64b07bad3afe68190329a243d89e41ae8db
-
SHA256
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3
-
SHA512
7c28b57ffaafc2a3b82282c236627ca4210d820ccd3df694047d0e3e3f1976b332a926a1ae459f9486109cdf75ee0f26e375700dcdebecf4156b97577fda0396
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe -
Processes:
resource yara_rule behavioral1/memory/1324-54-0x0000000010000000-0x000000001019D000-memory.dmp themida behavioral1/memory/1324-55-0x0000000010000000-0x000000001019D000-memory.dmp themida -
Drops file in System32 directory 3 IoCs
Processes:
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exedescription ioc process File created C:\Windows\SysWOW64\Spy-Net\server.exe dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\server.exe dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe File opened for modification C:\Windows\SysWOW64\Spy-Net\ dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exepid process 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exedescription pid process target process PID 1324 set thread context of 1984 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8AFD4B61-0389-11ED-8154-6AE9FCDE30C7} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364577478" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exepid process 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1984 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1984 iexplore.exe 1984 iexplore.exe 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exeiexplore.exedescription pid process target process PID 1324 wrote to memory of 1984 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe iexplore.exe PID 1324 wrote to memory of 1984 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe iexplore.exe PID 1324 wrote to memory of 1984 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe iexplore.exe PID 1324 wrote to memory of 1984 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe iexplore.exe PID 1324 wrote to memory of 1984 1324 dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe iexplore.exe PID 1984 wrote to memory of 1572 1984 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1572 1984 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1572 1984 iexplore.exe IEXPLORE.EXE PID 1984 wrote to memory of 1572 1984 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe"C:\Users\Admin\AppData\Local\Temp\dd15a1cd937d4bf4562d91529d3af1ab717f71e75eec3546cfca8e1c10c8b3c3.exe"1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BO7IJX2F.txtFilesize
604B
MD54d712be234dca73e2cc4650b37c8a70c
SHA1bd7a84fbc41fcfc3ed1fa2ca0ad211f7732ee4db
SHA25612341b62489d588988ec2a53e2d2aacca7d245c881b90503561d3cdd784562ec
SHA512c8580cba5f273de75580f2cf3058843547eda83eeca8a2c4715b1f0ec130f514242d75aa84869d83c0f8d57720fae5f0e804be753b5a3c729b1ed84cff83b925
-
memory/1324-54-0x0000000010000000-0x000000001019D000-memory.dmpFilesize
1.6MB
-
memory/1324-55-0x0000000010000000-0x000000001019D000-memory.dmpFilesize
1.6MB