Analysis
-
max time kernel
141s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:03
Behavioral task
behavioral1
Sample
8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe
Resource
win7-20220812-en
windows7-x64
15 signatures
150 seconds
General
-
Target
8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe
-
Size
919KB
-
MD5
460f7f13dcf4910c982fbd2faaf4b9f7
-
SHA1
93f37b5851afa3be62abff689c275fd905e17779
-
SHA256
8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58
-
SHA512
6d5aeaaf82faa5b0b4d11bc10e0fa65294876724f8d9629a2f619368c517449bfb7e725006b725d30134e9da5fa84f27888252b72a2a7555f62138a005e8735e
-
SSDEEP
24576:A4rA2sfoujTvsJ0RxhK2fZ++GkNtRFEDw7fzU9BVzKTc:AqFaxhKowpkNtRFEUjgPVzoc
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine 8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe -
Processes:
resource yara_rule behavioral2/memory/2356-132-0x0000000000400000-0x00000000004F4000-memory.dmp themida -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3504 2356 WerFault.exe 8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe 3412 2356 WerFault.exe 8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe 4888 2356 WerFault.exe 8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe 4548 2356 WerFault.exe 8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe 4620 2356 WerFault.exe 8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe"C:\Users\Admin\AppData\Local\Temp\8096e1296e9cc0b913101fd79eddda037ae513c9973f07066270abf3fb3d0b58.exe"1⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 4362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 4442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 5242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2356 -ip 23561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2356-132-0x0000000000400000-0x00000000004F4000-memory.dmpFilesize
976KB