Overview

overview

7

Static

static

7

d38347d121...a0.exe

windows7-x64

7

d38347d121...a0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    37s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe

  • Size

    942KB

  • MD5

    5e1e009e6d4276b63cbce7dc50f6f41c

  • SHA1

    3fba19da9c47d7d2e54a52349ab4b6529ca23b23

  • SHA256

    d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0

  • SHA512

    743d1ff0d8364d6ae2476707689b1da8a69976ddcd4505d21f798b63881269c1b651dcc0bc85ce13f4d5b058e8b982142847c17e4785aaa34fd14e418ee4d67c

Score
7/10
evasionthemida

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe
    "C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe"
    1⤵
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe
      C:\Users\Admin\AppData\Local\Temp\d38347d12101e57b4e97bf41bf33cc3803596b1d3b26e12257d29994e5756ca0.exe
      2⤵
        PID:948

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/948-59-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/948-60-0x00000000004074ED-mapping.dmp
      Download
    • memory/948-62-0x0000000075681000-0x0000000075683000-memory.dmp
      Filesize

      8KB

      Download
    • memory/948-64-0x0000000010000000-0x0000000010011000-memory.dmp
      Filesize

      68KB

      Download
    • memory/948-65-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1308-54-0x0000000000400000-0x00000000005BEB00-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1308-55-0x0000000000400000-0x00000000005BEB00-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1308-58-0x0000000000400000-0x00000000005BEB00-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1308-63-0x0000000000400000-0x00000000005BEB00-memory.dmp
      Filesize

      1.7MB

      Download