e5114f662af3a39a4ae63c76114d85d9547080c83827793e9698b29230c2fc80

Analysis

max time kernel
251s
max time network
283s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71e05b99d44d365c79abcc6768a6b43.exe
Size

1.3MB
MD5

f71e05b99d44d365c79abcc6768a6b43
SHA1

9dcbbea8625869120269f3d739298d5bd31e40df
SHA256

e5114f662af3a39a4ae63c76114d85d9547080c83827793e9698b29230c2fc80
SHA512

c5c3eba02f4b10b2d91bd7baf6498a633f3f04602bb680069feafbe45fcfbeffa60b1e81bfb764f61bcbd74a257ea955a5b618c5d655db6ef23b0a59042cc1f5
SSDEEP

24576:QJdZ4sfgjpehjdGfbEsnsG2tIVm8Tx32jGo+CUoPTU2bjIweST+meBF0jG4Qv:IdOsYIJYfbQG2tIFT1hKYzSTZI0jwv

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Wine	f71e05b99d44d365c79abcc6768a6b43.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-1-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-30-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-31-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-32-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-34-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-35-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-36-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-37-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-38-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-39-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-40-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-41-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-42-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-43-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-44-0x0000000000400000-0x0000000000703000-memory.dmp	themida
behavioral1/memory/2936-45-0x0000000000400000-0x0000000000703000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2936	f71e05b99d44d365c79abcc6768a6b43.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2936	f71e05b99d44d365c79abcc6768a6b43.exe

C:\Users\Admin\AppData\Local\Temp\f71e05b99d44d365c79abcc6768a6b43.exe
"C:\Users\Admin\AppData\Local\Temp\f71e05b99d44d365c79abcc6768a6b43.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2936-0-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-1-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-15-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2936-25-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2936-24-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2936-23-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/2936-22-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2936-26-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2936-27-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2936-21-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2936-20-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2936-19-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2936-18-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2936-17-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/2936-16-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2936-14-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/2936-13-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2936-12-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2936-11-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/2936-10-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2936-9-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2936-8-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2936-7-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2936-6-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/2936-5-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/2936-4-0x0000000004220000-0x0000000004222000-memory.dmp

Filesize
8KB

Download
memory/2936-3-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/2936-2-0x0000000004250000-0x0000000004252000-memory.dmp

Filesize
8KB

Download
memory/2936-29-0x0000000004430000-0x0000000004432000-memory.dmp

Filesize
8KB

Download
memory/2936-28-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2936-30-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-31-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-32-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-33-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2936-34-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-35-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-36-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-37-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-38-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-39-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-40-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-41-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-42-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-43-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-44-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/2936-45-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download