019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe
Size

2.6MB
MD5

6174f1c61a30552b58e2e747d7815cd5
SHA1

465ae65cc7a59d88ec5dc1109bf3be37349c92e2
SHA256

019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab
SHA512

7c27c4195af45156250103bdd9264c82606d4f22fb2b84c9c5bcdc5af66281d89c38f1b3cd5198db877294dd3e78c4af10644bb4495fad105e7022972f6fc2b3
SSDEEP

49152:SqA6pDItQ7XxeZ0EW8W/ATyvcO4z1Pq3eAQm:SqFDEiAWvcOuPq3eAJ

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Wine	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe
Key opened	\REGISTRY\MACHINE\Software\Wine	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1444	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe
1444	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2532	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1444	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe
1444	019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe

C:\Users\Admin\AppData\Local\Temp\019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe
"C:\Users\Admin\AppData\Local\Temp\019fb19f194def75f942718737a1d691a9a2eee5f571429e9494a1feec3eecab.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
4253299b1eb5628ce934689a81989c3a

SHA1
92a2506a7d784bb0bd17dff3beda3bd1217d0e85

SHA256
0e2bcc4abbd5b3cda35e9e236d98b895452b8905d379fcea0805e6a7242eff5d

SHA512
27cf9eecbf4d5037a61e056a421858939f760d3491697972cc922c372dc9fe42b75d20f42b891d1f490d6fb4f28d32f4605f19e6d722596b96d498633689eb62

Download Submit
memory/1444-0-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1444-1-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1444-2-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1444-4-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1444-8-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1444-11-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2532-51-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-55-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-46-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-47-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-48-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-49-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-50-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-29-0x000002185DC40000-0x000002185DC50000-memory.dmp

Filesize
64KB

Download
memory/2532-52-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-53-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-54-0x0000021866240000-0x0000021866241000-memory.dmp

Filesize
4KB

Download
memory/2532-45-0x0000021866210000-0x0000021866211000-memory.dmp

Filesize
4KB

Download
memory/2532-56-0x0000021865E60000-0x0000021865E61000-memory.dmp

Filesize
4KB

Download
memory/2532-57-0x0000021865E50000-0x0000021865E51000-memory.dmp

Filesize
4KB

Download
memory/2532-59-0x0000021865E60000-0x0000021865E61000-memory.dmp

Filesize
4KB

Download
memory/2532-62-0x0000021865E50000-0x0000021865E51000-memory.dmp

Filesize
4KB

Download
memory/2532-65-0x0000021865D90000-0x0000021865D91000-memory.dmp

Filesize
4KB

Download
memory/2532-13-0x000002185DB40000-0x000002185DB50000-memory.dmp

Filesize
64KB

Download
memory/2532-77-0x0000021865F90000-0x0000021865F91000-memory.dmp

Filesize
4KB

Download
memory/2532-79-0x0000021865FA0000-0x0000021865FA1000-memory.dmp

Filesize
4KB

Download
memory/2532-80-0x0000021865FA0000-0x0000021865FA1000-memory.dmp

Filesize
4KB

Download