82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715

Analysis

max time kernel
225s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe
Size

921KB
MD5

9fdd78f392b72b603acb0158fb1c4cd8
SHA1

ee199a4156ff5e1eb8ef19fd336f4ea592309ad3
SHA256

82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715
SHA512

3cea0b92d8feeb80594f2f334e24e36911a08b0596caf3cf2bc36f314b0120832ffa60d191331b6cb2e2ac348116d39127f7a66610e6558cb60e939b3bf5e280
SSDEEP

24576:MD6YMwAfJAFF6B0rGkvRVuLhMaXVTFF3CflX70IXSLO:M+YMwOJAF02JGhtXtFFSflL0I

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/692-54-0x0000000000400000-0x000000000060B000-memory.dmp	themida
behavioral1/memory/692-58-0x0000000000400000-0x000000000060B000-memory.dmp	themida
behavioral1/memory/692-57-0x0000000000400000-0x000000000060B000-memory.dmp	themida
behavioral1/memory/692-59-0x0000000000400000-0x000000000060B000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 1968	692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1968	692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe	28
PID 692 wrote to memory of 1968	692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe	28
PID 692 wrote to memory of 1968	692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe	28
PID 692 wrote to memory of 1968	692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe	28
PID 692 wrote to memory of 1968	692	82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe	28

C:\Users\Admin\AppData\Local\Temp\82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe
"C:\Users\Admin\AppData\Local\Temp\82da4a4da65b8fae047c3149739ddc74313ecece31be94465b84ac8f0612d715.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe
  2⤵
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-54-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/692-58-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/692-57-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/692-59-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download