Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2023, 16:12
Behavioral task
behavioral1
Sample
Winner.pw/Winner_Free.exe
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Winner.pw/Winner_Free.exe
Resource
win10v2004-20231215-en
6 signatures
150 seconds
General
-
Target
Winner.pw/Winner_Free.exe
-
Size
5.6MB
-
MD5
a8133b3fdf3ec104c0f0d503ef6a7ec7
-
SHA1
d875876bd027a59b9157a45df00a24ccd505ed20
-
SHA256
c3429972cc6d611fa4f940f89624658e3aadc85a681bdcd5adce9bdc6c6d3072
-
SHA512
2734304de246490ff8d3ab0487838afc6cc2abb7cfbc0404860cbb395ba69887c33b802a08d32f8ccd2c6e341e4b5062c3aa27b3de2f4bba3c542d984e4721b1
-
SSDEEP
98304:dV6s5YTnGUIcNAYDtYsvs6zqVXoQW07XlOVZ+dHXn8RXHhxBh7ZM5DBO:dV6s5XUxNAotvsjoQhLGQHuXrEB
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3016-0-0x0000000000E80000-0x0000000001781000-memory.dmp vmprotect behavioral2/memory/3016-4-0x0000000000E80000-0x0000000001781000-memory.dmp vmprotect behavioral2/memory/3016-12-0x0000000000E80000-0x0000000001781000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3016 Winner_Free.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings Winner_Free.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3016 Winner_Free.exe 3016 Winner_Free.exe 3016 Winner_Free.exe 3016 Winner_Free.exe 3016 Winner_Free.exe 3016 Winner_Free.exe 3016 Winner_Free.exe 3016 Winner_Free.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4664 OpenWith.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2824 3016 Winner_Free.exe 92 PID 3016 wrote to memory of 2824 3016 Winner_Free.exe 92 PID 3016 wrote to memory of 2824 3016 Winner_Free.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Winner.pw\Winner_Free.exe"C:\Users\Admin\AppData\Local\Temp\Winner.pw\Winner_Free.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title VaBVQetdB2b99QI7bt62vKy91ASJTtTK18wc3o559eMnkvra28g1h8cRgqzl2⤵PID:2824
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4664