Analysis
-
max time kernel
41s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Resource
win10v2004-20220812-en
General
-
Target
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
-
Size
529KB
-
MD5
49a84c0fa7e66a7b99dbf78020c563bc
-
SHA1
8a863a00444c2e75af0835ed0953476d2dedeb3b
-
SHA256
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd
-
SHA512
068819c7ed1bf9ae33abe9261db12a2855e5315dd0d8ef0ac0c7fc46ac26d41a06a9b584211982a4f16177eb2b4cc414288427e1559ae8da472f18cb211a81df
-
SSDEEP
12288:7s4Hzi41sI8+b4KFx0rugmqLig5U0BcfrByu5U0aA3u/gQrfZ4mbpa:7sE6I8g0JmqLxBcByuU0aku/gsfmiA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1968 WINDOW~1.EXE 1868 tmp.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine WINDOW~1.EXE -
Loads dropped DLL 6 IoCs
pid Process 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 1968 WINDOW~1.EXE 1968 WINDOW~1.EXE 1968 WINDOW~1.EXE 1868 tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1868 tmp.exe 1868 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1968 WINDOW~1.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 2040 wrote to memory of 1968 2040 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 27 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1968 wrote to memory of 1868 1968 WINDOW~1.EXE 28 PID 1868 wrote to memory of 1212 1868 tmp.exe 15 PID 1868 wrote to memory of 1212 1868 tmp.exe 15 PID 1868 wrote to memory of 1212 1868 tmp.exe 15 PID 1868 wrote to memory of 1212 1868 tmp.exe 15 PID 1868 wrote to memory of 1212 1868 tmp.exe 15 PID 1868 wrote to memory of 1212 1868 tmp.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe"C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8