ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1

Analysis

max time kernel
182s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe
Size

973KB
MD5

7bf025e09b0a5e99c5349c33aaeb3101
SHA1

c8f4613dc16d80db47198a770f7c15d9c64ec46f
SHA256

ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1
SHA512

556b59f3f71e66667c9457b96f0fe1418fe5542ca996f5f4f8ade64a26cd9788b417c8cfd2b97ceaa41766c2581ac3085d84d2b051ed79408af53a9d67942080
SSDEEP

24576:iZnAIbyyb7U/5NTWHsroyWkL2/bvxHSTPBYY/85jIIu+cBvkVnj+BCv:iWIpSWghTL2/bvEP+l5xRK

Score

7^/10

bootkit evasion persistence

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3360	ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3360	ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe
3360	ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe

C:\Users\Admin\AppData\Local\Temp\ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe
"C:\Users\Admin\AppData\Local\Temp\ee4bd658ccacc1a176b5daf4dfffca13e938f23569dddc5076d4c5ea4bef43a1.exe"
1⤵
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3360-132-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3360-133-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3360-134-0x0000000004780000-0x0000000004783000-memory.dmp

Filesize
12KB

Download
memory/3360-135-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3360-136-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3360-137-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download