613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe
Size

824KB
MD5

ed43fdf053dbf8135a3aebcce6e3aed5
SHA1

044f5d25b5b50463e55db0e42659b67c6cf00f98
SHA256

613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5
SHA512

d3ad217134daa45d090d7960e6d72cf8ee8aca0af8b8b08e96d5fe36eef83b4f44a4527a6c6c2af4c34407e08668eeeab675ed3c1ba34aedc3ee0f8070f6d3d6
SSDEEP

12288:1owN3u10J02aN7qNxwf7R2bjw4LOTRJHJNs4Q5PmOArn9X4zO:1oy3q0J87kAoM42HJNhQFmOArnP

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wine	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Wine	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4564	1696	WerFault.exe	83
640	1696	WerFault.exe	83
916	1696	WerFault.exe	83
4496	1696	WerFault.exe	83
436	1696	WerFault.exe	83
2808	1696	WerFault.exe	83
2416	1696	WerFault.exe	83
3476	1696	WerFault.exe	83
2504	1696	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1696	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe
1696	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1696	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe
1696	613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe

C:\Users\Admin\AppData\Local\Temp\613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe
"C:\Users\Admin\AppData\Local\Temp\613ec645ea3aa2fd611c763edf15706114291e1a4a09756b6a298597c02ce7c5.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1044
  2⤵
  - Program crash
  PID:4564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1304
  2⤵
  - Program crash
  PID:640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1328
  2⤵
  - Program crash
  PID:916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1328
  2⤵
  - Program crash
  PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1372
  2⤵
  - Program crash
  PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1456
  2⤵
  - Program crash
  PID:2808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1548
  2⤵
  - Program crash
  PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1584
  2⤵
  - Program crash
  PID:3476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1300
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1696 -ip 1696
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1696 -ip 1696
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1696 -ip 1696
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1696 -ip 1696
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1696 -ip 1696
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1696 -ip 1696
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1696 -ip 1696
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1696 -ip 1696
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1696 -ip 1696
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-1-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-2-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-3-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-6-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-10-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-12-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-14-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1696-16-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download