e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe
Size

2.4MB
MD5

8c3dd58f0ae830da072858d3b875c194
SHA1

328df464d6464f187005fc3a04ad81a225afc8d1
SHA256

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d
SHA512

7f72a9665ba7a2ecedc0c313616e83c504b91f7cdad565e785347df9070fee2a72370087183aaa92cd759da36849a37ed7cc21b676d4fbf36adc41ee2044c52e
SSDEEP

49152:/owKvLLXCD4cStcZwzPo7SW4XXWE5klZFgGwQqwBDMTn5zJS+DLrSUFIC:ZKvLrZntcZ57SW4HWE6Dt1DMtz4+D3Fp

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Wine	e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1952-54-0x0000000000400000-0x00000000008AF000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid process

1952 e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid process

1952 e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid process

1952 e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid process

1952 e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid	process
1952	e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid	process
1952	e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid	process
1952	e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

pid	process
1952	e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe

C:\Users\Admin\AppData\Local\Temp\e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe
"C:\Users\Admin\AppData\Local\Temp\e537e89d31d7a4ff6d93d7822263535090fdfd5e6fe9997a2238c00d08d9e40d.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-54-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/1952-55-0x0000000002160000-0x0000000002244000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads