8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
Size

1.9MB
MD5

9ab5316f8ee1944cc840f1f36f0c8994
SHA1

5319af8e4de0418241e8fa875fb6810b928049a5
SHA256

8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b
SHA512

1832be33a9701149bd80a503208b698202c19d07449f7e960e3cbb22732df446afa1de2cea1cbdc5bfe9c298770e980f076f1a3f5717f39a0a40c256a833678c
SSDEEP

49152:ZKDtHkYWvPfiVlemyn/xNzZiBEoKx1SYao:Zut/cPf8le9/xtoEoKTOo

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4980-132-0x0000000000400000-0x00000000007CB000-memory.dmp	themida
behavioral2/memory/4980-134-0x0000000000400000-0x00000000007CB000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4980	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	4980	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
4980	8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe

C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe
"C:\Users\Admin\AppData\Local\Temp\8d2af3026b71c490e309099704021c9e547edd2edbe01db813921e84a350fd0b.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 532
  2⤵
  - Program crash
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4980 -ip 4980
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4980-132-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/4980-133-0x00000000026A0000-0x000000000282B000-memory.dmp

Filesize
1.5MB

Download
memory/4980-134-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download