88d79f9889049980c16ef5cc1bdc53c868d530894d366e91d86214f66a90f2f4

General

Target

Comprovante-09234449093-id-000000000000001923344.exe
Size

1.4MB
MD5

261ca0b0b8ece29e7d98179d40899055
SHA1

3feb513fc2e5e10c13d3014c92f4566c1a01e8f8
SHA256

1e09308bb03de3f0174544bf085fa092f5f813a1269368223612b1582a8f7f5d
SHA512

5329c1f418d075812fefb76efb9c697c9fcacc919b1c92d7d5e057e5108f5b288934279e593b61d5c1dbaa233ae5c79fcfdc8f7e32dc0667a8bed3ae5e8d847e
SSDEEP

24576:+JQClUUHMwWaHdCGoBKd7s+V3eb9zlpWqBvp5Y0sZqt2tbZNqY+fYJkR/HPOijC+:gQ8rswnHdCGeKBsEeb1lnYp6YoYq/v0+

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Comprovante-09234449093-id-000000000000001923344.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	Comprovante-09234449093-id-000000000000001923344.exe

Program crash 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4480	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1208	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
3248	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
3120	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
2252	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1344	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1976	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
3564	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
2180	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
2764	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1148	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1028	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1908	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
764	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
3872	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
5000	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1672	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1320	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
5108	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
3488	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
1900	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
756	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
772	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
2212	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe
3232	3300	WerFault.exe	Comprovante-09234449093-id-000000000000001923344.exe

C:\Users\Admin\AppData\Local\Temp\Comprovante-09234449093-id-000000000000001923344.exe
"C:\Users\Admin\AppData\Local\Temp\Comprovante-09234449093-id-000000000000001923344.exe"
1⤵
- Identifies Wine through registry keys
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 276
2⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 320
2⤵
- Program crash
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 296
2⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 500
2⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 332
2⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 320
2⤵
- Program crash
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 504
2⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 512
2⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 488
2⤵
- Program crash
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 496
2⤵
- Program crash
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 332
2⤵
- Program crash
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 480
2⤵
- Program crash
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 500
2⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 492
2⤵
- Program crash
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 480
2⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 512
2⤵
- Program crash
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 500
2⤵
- Program crash
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 332
2⤵
- Program crash
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 528
2⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 544
2⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 564
2⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 580
2⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 600
2⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 596
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 576
2⤵
- Program crash
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3300 -ip 3300
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3300 -ip 3300
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3300 -ip 3300
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3300 -ip 3300
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3300 -ip 3300
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3300 -ip 3300
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3300 -ip 3300
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3300 -ip 3300
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3300 -ip 3300
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3300 -ip 3300
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3300 -ip 3300
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3300 -ip 3300
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3300 -ip 3300
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3300 -ip 3300
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3300 -ip 3300
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3300 -ip 3300
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3300 -ip 3300
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3300 -ip 3300
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3300 -ip 3300
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3300 -ip 3300
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3300 -ip 3300
1⤵
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3300-132-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3300-133-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3300-134-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3300-135-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads