9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd

Analysis

max time kernel
41s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Size

529KB
MD5

49a84c0fa7e66a7b99dbf78020c563bc
SHA1

8a863a00444c2e75af0835ed0953476d2dedeb3b
SHA256

9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd
SHA512

068819c7ed1bf9ae33abe9261db12a2855e5315dd0d8ef0ac0c7fc46ac26d41a06a9b584211982a4f16177eb2b4cc414288427e1559ae8da472f18cb211a81df
SSDEEP

12288:7s4Hzi41sI8+b4KFx0rugmqLig5U0BcfrByu5U0aA3u/gQrfZ4mbpa:7sE6I8g0JmqLxBcByuU0aku/gsfmiA

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1968	WINDOW~1.EXE
1868	tmp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine	WINDOW~1.EXE

Loads dropped DLL 6 IoCs

pid	Process
2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
1968	WINDOW~1.EXE
1968	WINDOW~1.EXE
1968	WINDOW~1.EXE
1868	tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	tmp.exe
1868	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	WINDOW~1.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 2040 wrote to memory of 1968	2040	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	27
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1968 wrote to memory of 1868	1968	WINDOW~1.EXE	28
PID 1868 wrote to memory of 1212	1868	tmp.exe	15
PID 1868 wrote to memory of 1212	1868	tmp.exe	15
PID 1868 wrote to memory of 1212	1868	tmp.exe	15
PID 1868 wrote to memory of 1212	1868	tmp.exe	15
PID 1868 wrote to memory of 1212	1868	tmp.exe	15
PID 1868 wrote to memory of 1212	1868	tmp.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
  "C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
memory/1212-83-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1868-82-0x0000000000400000-0x0000000000408010-memory.dmp

Filesize
32KB

Download
memory/1868-84-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1968-70-0x0000000000230000-0x00000000002C7000-memory.dmp

Filesize
604KB

Download
memory/1968-88-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1968-69-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1968-90-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1968-89-0x0000000000230000-0x00000000002C7000-memory.dmp

Filesize
604KB

Download
memory/1968-80-0x00000000040B0000-0x00000000040B9000-memory.dmp

Filesize
36KB

Download
memory/1968-81-0x00000000040B0000-0x00000000040B9000-memory.dmp

Filesize
36KB

Download
memory/2040-65-0x0000000000370000-0x0000000000484000-memory.dmp

Filesize
1.1MB

Download
memory/2040-66-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download
memory/2040-56-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download
memory/2040-55-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download
memory/2040-87-0x0000000000370000-0x0000000000484000-memory.dmp

Filesize
1.1MB

Download
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2040-68-0x0000000000370000-0x0000000000407000-memory.dmp

Filesize
604KB

Download
memory/2040-67-0x0000000000370000-0x0000000000407000-memory.dmp

Filesize
604KB

Download
memory/2040-91-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download