Overview

overview

7

Static

static

7

a9a5fd55da...41.exe

windows7-x64

7

a9a5fd55da...41.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    16s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9a5fd55da53435b30d4023e5225de2534ab3246a817f13d9432bb19fd963f41.exe

  • Size

    781KB

  • MD5

    d48727b80839d610f8c36326c5229299

  • SHA1

    bfd1b0e9ca7a6c29f3442a87f2c34a42a427a8fa

  • SHA256

    a9a5fd55da53435b30d4023e5225de2534ab3246a817f13d9432bb19fd963f41

  • SHA512

    99c77479dfe848df6b1e90b5c01a8e1bacf6d830910cfef0d2cf1f27c7d58cbd39c39211d0750652e6a8d79c87bd2d6cf2d7b8e99b05b2d25aa23f80284ddd92

  • SSDEEP

    12288:V+tlzrOrzP9b3Mx0mWdBuVz/1jY1UHlPZOdDoXaIG8XNIUDLVZK37Au:ktlzrOrzV7y0mtz/1GDoaIG8XGsV/u

Score
7/10
evasionthemida

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9a5fd55da53435b30d4023e5225de2534ab3246a817f13d9432bb19fd963f41.exe
    "C:\Users\Admin\AppData\Local\Temp\a9a5fd55da53435b30d4023e5225de2534ab3246a817f13d9432bb19fd963f41.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1980
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1212-56-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1980-54-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/1980-55-0x0000000075521000-0x0000000075523000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-59-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1980-60-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download