8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850

General

Target

8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
Size

396KB
MD5

5328ae97cf6d14c37b1e22e32c65d790
SHA1

06a0c7df8801e8de881215905c85ae0b953799aa
SHA256

8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850
SHA512

d0cc06a61fb9f8280ce9a6811cbf33d312aff4e1b062ae8ec6c1b634bf98692af092d9e41e9bee7ce4ba3c6992e9fe1ad7f8fa0f87b7613b7698c1cd734abdc2
SSDEEP

6144:kwuK/7e2njWUrrZzNrtV5knaZS0pl22RTHT6tQD44btL0oLEaqHP4RO8QWoSwaP:k/KpWYl5nxZvlRbT66DbBxvQWoSw

Score

8^/10

evasion persistence upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1896-62-0x0000000000400000-0x000000000050C000-memory.dmp	upx
behavioral1/memory/1992-64-0x0000000000400000-0x000000000050C000-memory.dmp	upx
behavioral1/memory/1896-71-0x0000000000400000-0x000000000050C000-memory.dmp	upx
behavioral1/memory/1992-72-0x0000000000400000-0x000000000050C000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
Key opened	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Wine	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1992	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1992	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1992	1896	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe	27
PID 1896 wrote to memory of 1992	1896	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe	27
PID 1896 wrote to memory of 1992	1896	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe	27
PID 1896 wrote to memory of 1992	1896	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe	27
PID 1896 wrote to memory of 1372	1896	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe	15
PID 1896 wrote to memory of 1372	1896	8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba296160b0a3426899c2167ef537ccc567d8046ad34cfadf42bc304164c4850.exe"
    3⤵
    - Identifies Wine through registry keys
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-69-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1896-62-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1896-71-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1896-63-0x0000000001F90000-0x000000000209C000-memory.dmp

Filesize
1.0MB

Download
memory/1896-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1992-59-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-61-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-60-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-58-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-64-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1992-65-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-66-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-67-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-68-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-57-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/1992-72-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads