8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b

General

Target

8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
Size

1.9MB
MD5

9ab5316f8ee1944cc840f1f36f0c8994
SHA1

5319af8e4de0418241e8fa875fb6810b928049a5
SHA256

8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b
SHA512

1832be33a9701149bd80a503208b698202c19d07449f7e960e3cbb22732df446afa1de2cea1cbdc5bfe9c298770e980f076f1a3f5717f39a0a40c256a833678c
SSDEEP

49152:ZKDtHkYWvPfiVlemyn/xNzZiBEoKx1SYao:Zut/cPf8le9/xtoEoKTOo

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1048-54-0x0000000000400000-0x00000000007CB000-memory.dmp	themida
behavioral1/memory/1048-56-0x0000000000400000-0x00000000007CB000-memory.dmp	themida
behavioral1/memory/1048-65-0x0000000000400000-0x00000000007CB000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
816	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
816	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 1048 wrote to memory of 816	1048	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	28
PID 816 wrote to memory of 1276	816	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	16
PID 816 wrote to memory of 1276	816	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	16
PID 816 wrote to memory of 1276	816	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	16
PID 816 wrote to memory of 1276	816	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe	16

C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
"C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
  C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:816

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/816-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/816-72-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/816-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/816-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/816-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/816-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1048-57-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1048-65-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1048-66-0x0000000004500000-0x00000000048CB000-memory.dmp

Filesize
3.8MB

Download
memory/1048-54-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1048-56-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1048-55-0x00000000020F0000-0x000000000227B000-memory.dmp

Filesize
1.5MB

Download
memory/1276-69-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads