9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd

General

Target

9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Size

529KB
MD5

49a84c0fa7e66a7b99dbf78020c563bc
SHA1

8a863a00444c2e75af0835ed0953476d2dedeb3b
SHA256

9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd
SHA512

068819c7ed1bf9ae33abe9261db12a2855e5315dd0d8ef0ac0c7fc46ac26d41a06a9b584211982a4f16177eb2b4cc414288427e1559ae8da472f18cb211a81df
SSDEEP

12288:7s4Hzi41sI8+b4KFx0rugmqLig5U0BcfrByu5U0aA3u/gQrfZ4mbpa:7sE6I8g0JmqLxBcByuU0aku/gsfmiA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4744	WINDOW~1.EXE
3560	tmp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	WINDOW~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3560	tmp.exe
3560	tmp.exe
3560	tmp.exe
3560	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4744	WINDOW~1.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 4744	4688	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	80
PID 4688 wrote to memory of 4744	4688	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	80
PID 4688 wrote to memory of 4744	4688	9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe	80
PID 4744 wrote to memory of 3560	4744	WINDOW~1.EXE	81
PID 4744 wrote to memory of 3560	4744	WINDOW~1.EXE	81
PID 4744 wrote to memory of 3560	4744	WINDOW~1.EXE	81
PID 3560 wrote to memory of 3008	3560	tmp.exe	77
PID 3560 wrote to memory of 3008	3560	tmp.exe	77
PID 3560 wrote to memory of 3008	3560	tmp.exe	77
PID 3560 wrote to memory of 3008	3560	tmp.exe	77
PID 3560 wrote to memory of 3008	3560	tmp.exe	77
PID 3560 wrote to memory of 3008	3560	tmp.exe	77

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
  "C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
637KB

MD5
b1a83bf1d0eff0a0d58f62baacc3fafb

SHA1
8acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e

SHA256
870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e

SHA512
0b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
49KB

MD5
7a84e09437ad9e1915693deb063c87b4

SHA1
b87fb52154c1cee109ec92582dbf37a94583277f

SHA256
51edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f

SHA512
9de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8

Download Submit
memory/3008-144-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/3560-145-0x0000000000400000-0x0000000000408010-memory.dmp

Filesize
32KB

Download
memory/3560-146-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4688-134-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download
memory/4688-132-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download
memory/4688-148-0x0000000001000000-0x0000000001113550-memory.dmp

Filesize
1.1MB

Download
memory/4744-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4744-147-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads