bcec9b6176d1d01198623ebbf89a87eb8ad2e8157e7cf2e84eb14d2d68b55e9a

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcec9b6176d1d01198623ebbf89a87eb8ad2e8157e7cf2e84eb14d2d68b55e9a.dll
Size

1.9MB
MD5

2154df36029b74258b328d7e448f8f37
SHA1

b04a56d7ee7978cf7e3eb132c9efff8dcf38a6c9
SHA256

bcec9b6176d1d01198623ebbf89a87eb8ad2e8157e7cf2e84eb14d2d68b55e9a
SHA512

8e479d0243683bfbf2b03bc02a8ecfbee501cb3f1467bcbd210ee492656379826093ea16317712e448bd8f9547c325257d28b1317f479a2990e902487c8a855b
SSDEEP

24576:ELeMBrg2O9r0MwAZqU7SuTm987+W5pzvKaN8+yg851AIilofd/b+cb8cn+ivFrf:EePwAZqU7SukO+0pj8ng8fAKKcwfOZf

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Wine rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Wine	rundll32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/440-133-0x0000000000400000-0x00000000005F1000-memory.dmp	themida
behavioral2/memory/440-136-0x0000000000400000-0x00000000005F1000-memory.dmp	themida

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4396 wrote to memory of 440	4396	rundll32.exe	rundll32.exe
PID 4396 wrote to memory of 440	4396	rundll32.exe	rundll32.exe
PID 4396 wrote to memory of 440	4396	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bcec9b6176d1d01198623ebbf89a87eb8ad2e8157e7cf2e84eb14d2d68b55e9a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bcec9b6176d1d01198623ebbf89a87eb8ad2e8157e7cf2e84eb14d2d68b55e9a.dll,#1
2⤵
- Identifies Wine through registry keys
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-132-0x0000000000000000-mapping.dmp

Download
memory/440-133-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/440-134-0x0000000002890000-0x000000000292D000-memory.dmp

Filesize
628KB

Download
memory/440-135-0x0000000002A70000-0x0000000002C0E000-memory.dmp

Filesize
1.6MB

Download
memory/440-136-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download