Overview

overview

8

Static

static

137c77733b...bd.exe

windows7-x64

8

137c77733b...bd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    210s
  • max time network
    250s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe

  • Size

    284KB

  • MD5

    2b86e41c47a73965f31071e9f823a6c5

  • SHA1

    2eeb0f495049d2b17aa7b56fb805afc3e41d722d

  • SHA256

    137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd

  • SHA512

    0df345740ff30b1c75e3c66c7bfd84b8ee914ab7d635741c2e0117178412f7145fc23dcf2a5f9becd2643d3c929c31020bbb3621cee5baa9742a0f15751511cd

  • SSDEEP

    6144:205XASk3NyyIk88dxDxQLVlZAYvRQYThzAZ/x40X2:2gkQyU6xuZ0pCUZrG

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4364
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      1⤵
        PID:4592
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:4920
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3740
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3508
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3408
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3340
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3232
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:776
                    • C:\Windows\Explorer.EXE
                      C:\Windows\Explorer.EXE
                      1⤵
                        PID:2492
                        • C:\Users\Admin\AppData\Local\Temp\137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe
                          "C:\Users\Admin\AppData\Local\Temp\137c77733b784e0b71cf036ae94d28dbde2c75e23e41611854673f0ece187ebd.exe"
                          2⤵
                          • Suspicious use of SetThreadContext
                          • Modifies Internet Explorer settings
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4668
                          • C:\Users\Admin\AppData\Roaming\Uvywwy\feve.exe
                            "C:\Users\Admin\AppData\Roaming\Uvywwy\feve.exe"
                            3⤵
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Adds Run key to start application
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:976
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc5e02f92.bat"
                            3⤵
                              PID:4160
                              • C:\Windows\System32\Conhost.exe
                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                4⤵
                                  PID:1976
                          • C:\Windows\system32\taskhostw.exe
                            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                            1⤵
                              PID:2872
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                              1⤵
                                PID:2836
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                1⤵
                                  PID:2700
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:748
                                  • C:\Windows\system32\BackgroundTransferHost.exe
                                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                    1⤵
                                      PID:1272
                                    • C:\Windows\system32\BackgroundTransferHost.exe
                                      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                      1⤵
                                        PID:796
                                      • C:\Windows\system32\backgroundTaskHost.exe
                                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                        1⤵
                                          PID:792
                                        • C:\Windows\system32\backgroundTaskHost.exe
                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                          1⤵
                                            PID:4648
                                          • C:\Windows\System32\RuntimeBroker.exe
                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                            1⤵
                                              PID:2888

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Roaming\Reugu\wooni.xyv
                                              Filesize

                                              437B

                                              MD5

                                              43841c5061d2c520fd3c42f29264ccbd

                                              SHA1

                                              a99c4c84835c2ed835a9177f38f53124f16d0b93

                                              SHA256

                                              d8b62fbbab85d2efd72239213092009bcdb6af76b07f5c52c0141961a93f60b6

                                              SHA512

                                              8ebdd83cfefcae8ced0922b7c37ac14a55828a1014448d1b57ee30d30f240a61d28564a28eb5e12d9b4d426d15b99883b0c2ec7c9a70e082dc1c48fa0dba3179

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Uvywwy\feve.exe
                                              Filesize

                                              284KB

                                              MD5

                                              9cbf7fae51411e24b3858cd11bbfb3eb

                                              SHA1

                                              815fe993469bba9f8ebb085b297b061207144782

                                              SHA256

                                              05e706eda34bd1619c7d9f0ee2b1b43ed25081b381c92e610a1b4f0f57417505

                                              SHA512

                                              5ca6b11b8a5420b6ec92575e474784de337d72cd08136473004123ca1e698a262f9a589ed5bf1e81d6c360d0b94d788b239ff4e5c70f8b8cd84201601966beb4

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Uvywwy\feve.exe
                                              Filesize

                                              284KB

                                              MD5

                                              9cbf7fae51411e24b3858cd11bbfb3eb

                                              SHA1

                                              815fe993469bba9f8ebb085b297b061207144782

                                              SHA256

                                              05e706eda34bd1619c7d9f0ee2b1b43ed25081b381c92e610a1b4f0f57417505

                                              SHA512

                                              5ca6b11b8a5420b6ec92575e474784de337d72cd08136473004123ca1e698a262f9a589ed5bf1e81d6c360d0b94d788b239ff4e5c70f8b8cd84201601966beb4

                                              Download Submit

                                            • memory/976-144-0x0000000000400000-0x0000000000449000-memory.dmp

                                              Filesize

                                              292KB

                                              Download

                                            • memory/976-141-0x0000000000400000-0x0000000000449000-memory.dmp

                                              Filesize

                                              292KB

                                              Download

                                            • memory/976-142-0x0000000000560000-0x000000000059E000-memory.dmp

                                              Filesize

                                              248KB

                                              Download

                                            • memory/976-143-0x0000000000400000-0x0000000000449000-memory.dmp

                                              Filesize

                                              292KB

                                              Download

                                            • memory/4160-150-0x0000000000150000-0x0000000000195000-memory.dmp

                                              Filesize

                                              276KB

                                              Download

                                            • memory/4160-148-0x0000000000150000-0x0000000000195000-memory.dmp

                                              Filesize

                                              276KB

                                              Download

                                            • memory/4668-136-0x0000000000400000-0x0000000000449000-memory.dmp

                                              Filesize

                                              292KB

                                              Download

                                            • memory/4668-145-0x00000000023A0000-0x00000000023E5000-memory.dmp

                                              Filesize

                                              276KB

                                              Download

                                            • memory/4668-132-0x0000000000450000-0x000000000048E000-memory.dmp

                                              Filesize

                                              248KB

                                              Download

                                            • memory/4668-135-0x0000000000400000-0x0000000000449000-memory.dmp

                                              Filesize

                                              292KB

                                              Download

                                            • memory/4668-134-0x0000000000400000-0x0000000000449000-memory.dmp

                                              Filesize

                                              292KB

                                              Download

                                            • memory/4668-149-0x00000000023A0000-0x00000000023E5000-memory.dmp

                                              Filesize

                                              276KB

                                              Download

                                            • memory/4668-133-0x0000000000400000-0x0000000000445000-memory.dmp

                                              Filesize

                                              276KB

                                              Download