c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9

Analysis

max time kernel
29s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
Size

798KB
MD5

c3c4403512db4c60b0f1d9dd9f0cadf4
SHA1

64cdae8d8d39779f8ba7d805343f05d23c5d5a86
SHA256

c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9
SHA512

09e6c12d34b79e40c1451c067d6094f401b66c7caea4ec35217e797a289e34610c62ce82cc1c73d9e8dbfb20f4587ec35cd4af120cc46b544b3147d743429059
SSDEEP

12288:sJwILF7o1pGhzMXE/ikCByVIluJnHJuBn5f9kFV4EAxPon4LA:sL7o1cVMXE/6PlIuLu/4PXc

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1440	server.exe
1632	server.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Wine	server.exe

Loads dropped DLL 6 IoCs

pid	Process
1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
1440	server.exe
1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
1632	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1440	server.exe
1632	server.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1440	server.exe
1440	server.exe
1440	server.exe
1632	server.exe
1632	server.exe
1632	server.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1156 wrote to memory of 1440	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	28
PID 1440 wrote to memory of 1272	1440	server.exe	11
PID 1440 wrote to memory of 1272	1440	server.exe	11
PID 1440 wrote to memory of 1272	1440	server.exe	11
PID 1440 wrote to memory of 1272	1440	server.exe	11
PID 1440 wrote to memory of 1272	1440	server.exe	11
PID 1440 wrote to memory of 1272	1440	server.exe	11
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1156 wrote to memory of 1632	1156	c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe	29
PID 1632 wrote to memory of 1272	1632	server.exe	11
PID 1632 wrote to memory of 1272	1632	server.exe	11
PID 1632 wrote to memory of 1272	1632	server.exe	11
PID 1632 wrote to memory of 1272	1632	server.exe	11
PID 1632 wrote to memory of 1272	1632	server.exe	11
PID 1632 wrote to memory of 1272	1632	server.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe
  "C:\Users\Admin\AppData\Local\Temp\c516e5f1222f9daf95fefc1ded90bc5bfb68a7258ff465ddefb3105254db25f9.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
C:\Users\Admin\AppData\Roaming\addon.dat

Filesize
21KB

MD5
eff96dfabdbd2aa1ef396ccb5e7ff7eb

SHA1
483cff2d412bc43f51f8121e7c04220ed26f74fc

SHA256
ff150c94791f61f9e434932922eb54d42f45bdab562006c167404e431e101b3c

SHA512
d04b7190a5ab3249a5d334e320d9eddfc353281ad65b70a4c067ab00a3cedcecd96af4115c8e11fcb1c90b996adb0b87eea04402a97e331030c2dab8b0d32862

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
1.3MB

MD5
f807824d195f0adf6356a9c3da91e38c

SHA1
9213117f6ad643fac54146cc0e9a62094895926d

SHA256
a324ee3795737322008d9268db56b5172606923a805fbc370d90d06e0e52ff33

SHA512
027e661fcdb5857af1921d2a4db4b30eedccbddb4ef8ad55cb710f9855ffe86a60d9686460e62623943d42e5d5cab236a8442eaf07f445da2bd14e0bae87f8a5

Download Submit
memory/1156-62-0x00000000024D0000-0x0000000002A4A000-memory.dmp

Filesize
5.5MB

Download
memory/1156-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1156-81-0x00000000024D0000-0x0000000002A4A000-memory.dmp

Filesize
5.5MB

Download
memory/1272-69-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1440-63-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1440-72-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1440-74-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1440-65-0x0000000002780000-0x0000000002890000-memory.dmp

Filesize
1.1MB

Download
memory/1440-64-0x0000000001070000-0x00000000015EA000-memory.dmp

Filesize
5.5MB

Download
memory/1440-67-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1440-73-0x0000000001070000-0x00000000015EA000-memory.dmp

Filesize
5.5MB

Download
memory/1440-68-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1632-82-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1632-83-0x0000000000ED0000-0x000000000144A000-memory.dmp

Filesize
5.5MB

Download
memory/1632-86-0x0000000002650000-0x0000000002760000-memory.dmp

Filesize
1.1MB

Download
memory/1632-87-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1632-91-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/1632-92-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download