8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4

Analysis

max time kernel
93s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe
Size

553KB
MD5

fc804429d1381c8212999ee5ecab2b7a
SHA1

6c5dd7feec886f7d12bebd37f9d25cb5e2d24dfa
SHA256

8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4
SHA512

408087018a562ec12e3f8e3231f1b45f3c1397f5006be8ed6dea3c5070f200e4429ad2bf9fc2254ca962f780c12bb073aca8a6973b0d320739e651474006fda2
SSDEEP

12288:k3vckx07iUSU4ax5j3xePx+IsP/1Jid6G14:k3vckxeSXax5jBQxufidH6

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
516	960	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 516	960	8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe	28
PID 960 wrote to memory of 516	960	8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe	28
PID 960 wrote to memory of 516	960	8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe	28
PID 960 wrote to memory of 516	960	8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe	28

C:\Users\Admin\AppData\Local\Temp\8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe
"C:\Users\Admin\AppData\Local\Temp\8ac365bc939394ff868fe0f4ba2e32b033e12a0dd3b5986f031d3102c8082eb4.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 264
  2⤵
  - Program crash
  PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/960-56-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads