18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458

General

Target

18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
Size

560KB
MD5

54f468369a1e72a92c4aed914f0302c0
SHA1

3f336242550e509e2e92334ac61e060f6d04f94c
SHA256

18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458
SHA512

4cb915de49b2508870721b4d237244619417b7f3c466281f4a088c81c2acef94cce88852acebf22135206a4ada2573f468deae0d947e28fadedc032575c3fb58
SSDEEP

12288:fEbZYT6f3sghHIaeBXtoHl95uGVQFW+FO4ugsqUC:uY+ZunXtIbyFsC

Score

8^/10

evasion

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
41	1564	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
368	systeminfo.exe
4392	systeminfo.exe
4520	systeminfo.exe
2788	systeminfo.exe
4736	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
1564	rundll32.exe
1564	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1564	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	81
PID 2120 wrote to memory of 1564	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	81
PID 2120 wrote to memory of 1564	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	81
PID 2120 wrote to memory of 1564	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	81
PID 2120 wrote to memory of 2356	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	82
PID 2120 wrote to memory of 2356	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	82
PID 2120 wrote to memory of 2356	2120	18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe	82
PID 2356 wrote to memory of 368	2356	CMD.exe	84
PID 2356 wrote to memory of 368	2356	CMD.exe	84
PID 2356 wrote to memory of 368	2356	CMD.exe	84
PID 2356 wrote to memory of 4392	2356	CMD.exe	88
PID 2356 wrote to memory of 4392	2356	CMD.exe	88
PID 2356 wrote to memory of 4392	2356	CMD.exe	88
PID 2356 wrote to memory of 4520	2356	CMD.exe	89
PID 2356 wrote to memory of 4520	2356	CMD.exe	89
PID 2356 wrote to memory of 4520	2356	CMD.exe	89
PID 2356 wrote to memory of 2788	2356	CMD.exe	93
PID 2356 wrote to memory of 2788	2356	CMD.exe	93
PID 2356 wrote to memory of 2788	2356	CMD.exe	93
PID 2356 wrote to memory of 4736	2356	CMD.exe	98
PID 2356 wrote to memory of 4736	2356	CMD.exe	98
PID 2356 wrote to memory of 4736	2356	CMD.exe	98

C:\Users\Admin\AppData\Local\Temp\18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe
"C:\Users\Admin\AppData\Local\Temp\18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\Windows\SysWOW64\CMD.exe
  CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "C:\Users\Admin\AppData\Local\Temp\18581765a42fe7f8e905a2f295ef889700a9f8725a4968693607c2ba3d0a6458.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\systeminfo.exe
    SYSTEMINFO
    3⤵
    - Gathers system information
    PID:368
- - C:\Windows\SysWOW64\systeminfo.exe
    SYSTEMINFO
    3⤵
    - Gathers system information
    PID:4392
- - C:\Windows\SysWOW64\systeminfo.exe
    SYSTEMINFO
    3⤵
    - Gathers system information
    PID:4520
- - C:\Windows\SysWOW64\systeminfo.exe
    SYSTEMINFO
    3⤵
    - Gathers system information
    PID:2788
- - C:\Windows\SysWOW64\systeminfo.exe
    SYSTEMINFO
    3⤵
    - Gathers system information
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~363405.tmp

Filesize
241B

MD5
8900be58d80ed589dbbc18e2cb116ea0

SHA1
01517d82ad38e38f3e1d020751e1ec7551cca920

SHA256
64943c77ec441cc6741439e15f71c7a61b6013668148c879f816bdd5b4632a1b

SHA512
a2a947174a96c757e19d9e12479255f9c369d747d629bc2545a164f9d04e3be0d4102ee10e728b86626ee63751095e718a1461c128aebee54acb8a58f79b0368

Download Submit
memory/1564-139-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1564-140-0x0000000000A10000-0x0000000000A1F000-memory.dmp

Filesize
60KB

Download
memory/1564-141-0x0000000000A10000-0x0000000000A1F000-memory.dmp

Filesize
60KB

Download
memory/2120-132-0x0000000000A70000-0x0000000000AD2000-memory.dmp

Filesize
392KB

Download
memory/2120-134-0x0000000000660000-0x000000000066F000-memory.dmp

Filesize
60KB

Download
memory/2120-133-0x0000000000630000-0x0000000000634000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads