Analysis
-
max time kernel
37s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 21:22
Behavioral task
behavioral1
Sample
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe
Resource
win7-20220715-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe
-
Size
942KB
-
MD5
5e1e009e6d4276b63cbce7dc50f6f41c
-
SHA1
3fba19da9c47d7d2e54a52349ab4b6529ca23b23
-
SHA256
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0
-
SHA512
743d1ff0d8364d6ae2476707689b1da8a69976ddcd4505d21f798b63881269c1b651dcc0bc85ce13f4d5b058e8b982142847c17e4785aaa34fd14e418ee4d67c
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Wine d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe -
Processes:
resource yara_rule behavioral1/memory/1308-54-0x0000000000400000-0x00000000005BEB00-memory.dmp themida behavioral1/memory/1308-55-0x0000000000400000-0x00000000005BEB00-memory.dmp themida behavioral1/memory/1308-58-0x0000000000400000-0x00000000005BEB00-memory.dmp themida behavioral1/memory/1308-63-0x0000000000400000-0x00000000005BEB00-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exepid process 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exedescription pid process target process PID 1308 set thread context of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exepid process 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exepid process 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exedescription pid process target process PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe PID 1308 wrote to memory of 948 1308 d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe"C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exeC:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/948-59-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/948-60-0x00000000004074ED-mapping.dmp
-
memory/948-62-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/948-64-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/948-65-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1308-54-0x0000000000400000-0x00000000005BEB00-memory.dmpFilesize
1.7MB
-
memory/1308-55-0x0000000000400000-0x00000000005BEB00-memory.dmpFilesize
1.7MB
-
memory/1308-58-0x0000000000400000-0x00000000005BEB00-memory.dmpFilesize
1.7MB
-
memory/1308-63-0x0000000000400000-0x00000000005BEB00-memory.dmpFilesize
1.7MB