Overview

overview

10

Static

static

7

86335b1a45...31.exe

windows7-x64

10

86335b1a45...31.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    166s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86335b1a4569b3c541ab4b8700b9619d7656377e2782cedc33a61f1aa71df331.exe

  • Size

    2.1MB

  • MD5

    cea81ff610a60c5d610cbb560f3ac11c

  • SHA1

    3c156b23350bb3aeb792b34501e4451f378c867e

  • SHA256

    86335b1a4569b3c541ab4b8700b9619d7656377e2782cedc33a61f1aa71df331

  • SHA512

    c431645c2ec3749f7cbe49737772efab5b4c5ece382babd15a679fb9605c5f4eda56f2c7377bf2cd2ef21eafdf8c2f2b713882ff9f7fe05740e4f947a2a27919

  • SSDEEP

    24576:++EcNtJQgTwgdBRjutVZwkjSaXdxnWLGxHuLAaBmvlCUDUSqf88oG7MiRh68MiCb:FNHbTxkhWLwH+38vxgDaN3CN+

Score
10/10
evasionpersistencethemida

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86335b1a4569b3c541ab4b8700b9619d7656377e2782cedc33a61f1aa71df331.exe
    "C:\Users\Admin\AppData\Local\Temp\86335b1a4569b3c541ab4b8700b9619d7656377e2782cedc33a61f1aa71df331.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
            PID:764
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net stop SharedAccess
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\net.exe
          net stop SharedAccess
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SharedAccess
            4⤵
              PID:1964
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
          2⤵
            PID:1112
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
              3⤵
              • Modifies security service
              PID:1704
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1068
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
              3⤵
              • Modifies security service
              PID:1476

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit

        • \Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit

        • \Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit

        • \Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit

        • memory/764-73-0x0000000000000000-mapping.dmp

          Download

        • memory/856-66-0x0000000000000000-mapping.dmp

          Download

        • memory/904-69-0x0000000000000000-mapping.dmp

          Download

        • memory/1068-67-0x0000000000000000-mapping.dmp

          Download

        • memory/1072-68-0x0000000000000000-mapping.dmp

          Download

        • memory/1112-65-0x0000000000000000-mapping.dmp

          Download

        • memory/1476-70-0x0000000000000000-mapping.dmp

          Download

        • memory/1704-71-0x0000000000000000-mapping.dmp

          Download

        • memory/1904-63-0x0000000000000000-mapping.dmp

          Download

        • memory/1964-74-0x0000000000000000-mapping.dmp

          Download

        • memory/2012-64-0x0000000000000000-mapping.dmp

          Download

        • memory/2040-54-0x0000000000400000-0x0000000000887000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/2040-58-0x0000000000400000-0x0000000000887000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/2040-72-0x0000000075A31000-0x0000000075A33000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2040-57-0x0000000000400000-0x0000000000887000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/2040-75-0x0000000000400000-0x0000000000887000-memory.dmp

          Filesize

          4.5MB

          Download