c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9

General

Target

c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe
Size

2.4MB
MD5

a1d81bb6ab3d1f86cca94e5b8d1d3d37
SHA1

26a0e87725b16cb9f596bd95efb00806889665da
SHA256

c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9
SHA512

c94b35b3dd64ee66d4e7326c85655e29df87def5062a88fd3a84841ac595be0d33bf2d3ac7a86859715f4c52fd3e80353fefccf09a4292a0651517234011182a
SSDEEP

49152:VqTmJkMbVZhS9l9etTaT0gktfLheuGrm5okVqAz8fL6pOG:VCIirstTK6ePq5iAe6gG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
220	server.exe
2804	server.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
220	server.exe
2804	server.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
220	server.exe
220	server.exe
220	server.exe
220	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 220	1804	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe	82
PID 1804 wrote to memory of 220	1804	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe	82
PID 1804 wrote to memory of 220	1804	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe	82
PID 220 wrote to memory of 1108	220	server.exe	42
PID 220 wrote to memory of 1108	220	server.exe	42
PID 220 wrote to memory of 1108	220	server.exe	42
PID 220 wrote to memory of 1108	220	server.exe	42
PID 220 wrote to memory of 1108	220	server.exe	42
PID 220 wrote to memory of 1108	220	server.exe	42
PID 1804 wrote to memory of 2804	1804	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe	83
PID 1804 wrote to memory of 2804	1804	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe	83
PID 1804 wrote to memory of 2804	1804	c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe	83
PID 2804 wrote to memory of 1108	2804	server.exe	42
PID 2804 wrote to memory of 1108	2804	server.exe	42
PID 2804 wrote to memory of 1108	2804	server.exe	42
PID 2804 wrote to memory of 1108	2804	server.exe	42
PID 2804 wrote to memory of 1108	2804	server.exe	42
PID 2804 wrote to memory of 1108	2804	server.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe
  "C:\Users\Admin\AppData\Local\Temp\c0444aa8c343a5c221eefac21fc4e3351d33e2d88dcb0c594607a8183e0ffec9.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
2.7MB

MD5
e8ed2a94c0dd10ff89691a27c8d577e2

SHA1
d016903b42592aabd2fe4d30d9e46f6700f44566

SHA256
d558d6e96701d7adf0935c7461e9b55738debe6c84f07abf0466ef919ea57b60

SHA512
9607aebc42d65ee329d0ea97fe6cd61abaa47f10ee5b4c1ebfcaab6865c8387b47b6c4e3e55c383f1bfc8dd343c1b3e2928f541bff3be304285ca197347652a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
2.7MB

MD5
e8ed2a94c0dd10ff89691a27c8d577e2

SHA1
d016903b42592aabd2fe4d30d9e46f6700f44566

SHA256
d558d6e96701d7adf0935c7461e9b55738debe6c84f07abf0466ef919ea57b60

SHA512
9607aebc42d65ee329d0ea97fe6cd61abaa47f10ee5b4c1ebfcaab6865c8387b47b6c4e3e55c383f1bfc8dd343c1b3e2928f541bff3be304285ca197347652a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
2.7MB

MD5
e8ed2a94c0dd10ff89691a27c8d577e2

SHA1
d016903b42592aabd2fe4d30d9e46f6700f44566

SHA256
d558d6e96701d7adf0935c7461e9b55738debe6c84f07abf0466ef919ea57b60

SHA512
9607aebc42d65ee329d0ea97fe6cd61abaa47f10ee5b4c1ebfcaab6865c8387b47b6c4e3e55c383f1bfc8dd343c1b3e2928f541bff3be304285ca197347652a5

Download Submit
C:\Users\Admin\AppData\Roaming\addon.dat

Filesize
23KB

MD5
8c3ee377e21588b9c86087c4be51eccf

SHA1
3bf532f85be314d3f2f1a6f311f266e6bb86cd2a

SHA256
10c53349ff28e073709e7f001bca1c3c8374b470f917244b9dbebccf5721edb9

SHA512
e3828dd717f45af26d4b5849b279f366eaf4077ca2aeb01a70d31f0c542af2d1f4308a97f15c7d7eb3126d355a56f40b8255e65e4302e23bbb50b11c119c314b

Download Submit
memory/220-140-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/220-142-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/220-143-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1108-141-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/1804-132-0x0000000001000000-0x00000000014CE55D-memory.dmp

Filesize
4.8MB

Download
memory/1804-136-0x0000000001000000-0x00000000014CE55D-memory.dmp

Filesize
4.8MB

Download
memory/1804-134-0x0000000001000000-0x00000000014CE55D-memory.dmp

Filesize
4.8MB

Download
memory/1804-133-0x0000000001000000-0x00000000014CE55D-memory.dmp

Filesize
4.8MB

Download
memory/1804-150-0x0000000001000000-0x00000000014CE55D-memory.dmp

Filesize
4.8MB

Download
memory/2804-146-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download
memory/2804-149-0x0000000000400000-0x00000000006BD000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads