833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda

Analysis

max time kernel
25s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
Size

1012KB
MD5

a0262a3772f119d1184f19984f5e59fe
SHA1

e6d056dd7071d31a325d82eb432b0dc4d949d64a
SHA256

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda
SHA512

e9e0cce5b5f1282727970af83178cb970bcbc7cf02ffe12e2ea2d349caeb5102787ba1ff858873edc2d1ea7cce54b4d3efd2df629958756ebc264c1b935ecc73
SSDEEP

24576:m/QShfODWVBg7GHOw9TMQ0Tp2Xqw9f0E7uKM+zK0kPl:m/QSRvYGHRTMtd2XqO0E7uKM+zK5

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine	833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1572-55-0x0000000000400000-0x0000000000614000-memory.dmp	themida
behavioral1/memory/1572-56-0x0000000000400000-0x0000000000614000-memory.dmp	themida
behavioral1/memory/1572-58-0x0000000000400000-0x0000000000614000-memory.dmp	themida
behavioral1/memory/1572-59-0x0000000000400000-0x0000000000614000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

pid process

1572 833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

pid process

1572 833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

pid process

1572 833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

pid process

1572 833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

pid	process
1572	833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
1572	833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
1572	833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
1572	833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe

C:\Users\Admin\AppData\Local\Temp\833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe
"C:\Users\Admin\AppData\Local\Temp\833077d7c6d65b379aa64a0118b30d6769407df0797cb9f22dd9407157174dda.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1572-55-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1572-56-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1572-57-0x0000000003FE0000-0x0000000003FF0000-memory.dmp

Filesize
64KB

Download
memory/1572-58-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1572-59-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1572-60-0x0000000003FE0000-0x0000000003FF0000-memory.dmp

Filesize
64KB

Download