Analysis
-
max time kernel
147s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
Resource
win10v2004-20220812-en
General
-
Target
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe
-
Size
529KB
-
MD5
49a84c0fa7e66a7b99dbf78020c563bc
-
SHA1
8a863a00444c2e75af0835ed0953476d2dedeb3b
-
SHA256
9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd
-
SHA512
068819c7ed1bf9ae33abe9261db12a2855e5315dd0d8ef0ac0c7fc46ac26d41a06a9b584211982a4f16177eb2b4cc414288427e1559ae8da472f18cb211a81df
-
SSDEEP
12288:7s4Hzi41sI8+b4KFx0rugmqLig5U0BcfrByu5U0aA3u/gQrfZ4mbpa:7sE6I8g0JmqLxBcByuU0aku/gsfmiA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4744 WINDOW~1.EXE 3560 tmp.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine WINDOW~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3560 tmp.exe 3560 tmp.exe 3560 tmp.exe 3560 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4744 WINDOW~1.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4688 wrote to memory of 4744 4688 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 80 PID 4688 wrote to memory of 4744 4688 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 80 PID 4688 wrote to memory of 4744 4688 9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe 80 PID 4744 wrote to memory of 3560 4744 WINDOW~1.EXE 81 PID 4744 wrote to memory of 3560 4744 WINDOW~1.EXE 81 PID 4744 wrote to memory of 3560 4744 WINDOW~1.EXE 81 PID 3560 wrote to memory of 3008 3560 tmp.exe 77 PID 3560 wrote to memory of 3008 3560 tmp.exe 77 PID 3560 wrote to memory of 3008 3560 tmp.exe 77 PID 3560 wrote to memory of 3008 3560 tmp.exe 77 PID 3560 wrote to memory of 3008 3560 tmp.exe 77 PID 3560 wrote to memory of 3008 3560 tmp.exe 77
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe"C:\Users\Admin\AppData\Local\Temp\9acfcdd8f58985bc233182eb265943d53d71bf84dfed630c6bbab336e682fbfd.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3560
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
637KB
MD5b1a83bf1d0eff0a0d58f62baacc3fafb
SHA18acfdb70f2cd48a0d5ee00cb1a5f0fe83520b09e
SHA256870ec44f5387929854473cff8de8bd1730a7486f0253571bc9d266f0b78d170e
SHA5120b65aa808829cee84acbfd06118396e0f5ec388d2d4f419f4a610a55ddd5909086f6982d184fe203dc7c7bbf8a3576ac0a44875763d48f2e28edd908a80677f4
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8
-
Filesize
49KB
MD57a84e09437ad9e1915693deb063c87b4
SHA1b87fb52154c1cee109ec92582dbf37a94583277f
SHA25651edc50a2e9022a66c148bf28067c12dee0127edde2d44ff17672fbbaf64cb4f
SHA5129de0e8e54c57ffaf80cb48a98093ae09125ef971fbdb05c134e2076f1db9dd0232eac3bf11420b10fad323877d9c637488abfb15499e8b0fb3fcf2e3aa705ce8