d6421cc4b2b9be4adc199425ec171295ed41e8404c905a2bc97926f212e63f44

Analysis

max time kernel
118s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0825cde4201def2377c91aa358ac032f.exe
Size

1.9MB
MD5

0825cde4201def2377c91aa358ac032f
SHA1

47cc2333e6a1fd68747e78efa64f29ce1f717fa0
SHA256

d6421cc4b2b9be4adc199425ec171295ed41e8404c905a2bc97926f212e63f44
SHA512

ad468ee84240342aa25bc7a11b3e13579b65261c78853588845df29ee6da60329e16009baa66ab1f49be6cec051c3b845ab97a659fe8547120555636cfd4d7c7
SSDEEP

49152:J86Aq4etPOPczjNIV9ivI3lH13BlIEc2M0:J8tq4etPOUzJIvdP3BSQ

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2932	temp.exe
1788	temp.exe
1964	temp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine	0825cde4201def2377c91aa358ac032f.exe

Loads dropped DLL 4 IoCs

pid	Process
1080	0825cde4201def2377c91aa358ac032f.exe
1080	0825cde4201def2377c91aa358ac032f.exe
2932	temp.exe
1788	temp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 1788	2932	temp.exe	30
PID 1788 set thread context of 1964	1788	temp.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1080	0825cde4201def2377c91aa358ac032f.exe
1964	temp.exe
1964	temp.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2932	1080	0825cde4201def2377c91aa358ac032f.exe	28
PID 1080 wrote to memory of 2932	1080	0825cde4201def2377c91aa358ac032f.exe	28
PID 1080 wrote to memory of 2932	1080	0825cde4201def2377c91aa358ac032f.exe	28
PID 1080 wrote to memory of 2932	1080	0825cde4201def2377c91aa358ac032f.exe	28
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 2932 wrote to memory of 1788	2932	temp.exe	30
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1788 wrote to memory of 1964	1788	temp.exe	29
PID 1964 wrote to memory of 1368	1964	temp.exe	15
PID 1964 wrote to memory of 1368	1964	temp.exe	15
PID 1964 wrote to memory of 1368	1964	temp.exe	15
PID 1964 wrote to memory of 1368	1964	temp.exe	15
PID 1964 wrote to memory of 1368	1964	temp.exe	15
PID 1964 wrote to memory of 1368	1964	temp.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\0825cde4201def2377c91aa358ac032f.exe
  "C:\Users\Admin\AppData\Local\Temp\0825cde4201def2377c91aa358ac032f.exe"
  2⤵
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\temp.exe
    "C:\Users\Admin\AppData\Local\Temp\temp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\temp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1788

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
123KB

MD5
07d1ac6ea411f52988a83afdfa6ea589

SHA1
3d5c5d6834bf7fcc17b0bf5c652afa904e24dbce

SHA256
8e1da771352c9d688a6bb75d737cfef50931dfd003653a1852786046eca2c1d6

SHA512
4d385f42e1b97decbf6c1fce55793f9f821bd29a801b946a1473912f5c99afa2e352ffe612f7be7062328b802db3c641db2ab379eab22d604b7f9e2a74ac6476

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
64KB

MD5
a8ed6b5a84b1e88dab7189e4b98d6c4d

SHA1
5e766f670b3e357f6d257bfc2689e94de46c9f41

SHA256
ac3bce9ebf3033298224c5c2680eaef07b759e5fb70f47383c864b63624977aa

SHA512
ee8fada3152602e18ce2c72a742a7813d89d2703d8bd45e1494b791b5d8d8229b14050b4ce56168fba8fe09796f01426d297b1d9f86a2e7551fb2123987a15af

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
61KB

MD5
905d9aac63144c5e81145b304e09f206

SHA1
6549dab9fa24d92f4e328a6adcd10c75e767b7ac

SHA256
9a14ccdffee940eb07308b84d6075028cf8b33f1b04c4b842edf516490bf6502

SHA512
b86ec268995dbac2566624edb8b23f21cafd95d9ea5b08b9d152d8e01835bf8f700121c5a1ac91188baaafc043b979fb9ad5b16c44d7cf92faa9aaabee95c17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
87KB

MD5
78855eb244ca261d2a406da0962cf565

SHA1
1fa15a54f0264983270a850a34349ad9895ae0cd

SHA256
ed9899535ba9d1a2264ea996286d164c51433249c95db6ddc827ace77416531a

SHA512
adb4251e0ce35d89cce11091595cbf9b21bc3f093577293b3e5989fba5fafb1f81ec15187aa01185c5623cfe74943e94dd75ddf0bfb49c7285c1213136df5484

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
67KB

MD5
1fdb66ef7ea369e28b4769bd0022c395

SHA1
2ac017e55597e6a4d4e9b898f773501ee6efd8ca

SHA256
5b2748ec452b7f42589216c3299324d4339e84b01c3e674cde2ee45e6edf7b74

SHA512
530cc5876c49ad6c5d327ae56770527197c6033f6bb738905783a0f8147c46ab96b24575df76cebe54847dd420fab6f2a4e0d26c495e74adf6fb6bd1c83134ed

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
364KB

MD5
1712218bdfbea843da95c757391784ea

SHA1
a4966ccde4cac6d4a4158a1aadbc984b2292cfc5

SHA256
84d1fab08ed6e34d69dcf02a1ff09be042d9dee3111a1e1b0b377f1bed25d22f

SHA512
c018883bdd10b4beeeccd19c6746b82fa830d1caddcca0d0b263b971382eff4c9358be796b8778a9f88ad0bea0fa5f95bb5b8f940747a99b26f6206e183b25a3

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
192KB

MD5
10443de8b523fd1023bfb6eb0fd87855

SHA1
aeb86d6932466ec5c610f0c5d88e7ce50e754173

SHA256
f525980318362772cca4a042a9847de878dc0fa2af16d7d502641b537eb3a186

SHA512
cd58479150ab07fe41851711c9e874cb538a4ad155b0b747efb5101da1f51701265483301d9a357b4958a2255fb6c959acf382fa4a39169e8fd042e5e4c8ed83

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
74KB

MD5
b560866ffa3714dd80f8f2eac3a12d5c

SHA1
d6590534de0aab7fc5fd1023a739bd89a75a9785

SHA256
a373942c7cd6dbab86d0ffb91b3739ec41e58869be19bec5e258a7475d743bee

SHA512
268e00f0860e191795580ac2c4b7be335b3d4b3a94b2e427283fdadf6a30b51255566563fd87bca3657404f3647ffd9b7f2836a02670083314116c14246442ff

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
84KB

MD5
db691da6039fc04b99c16ba46ec1d3f8

SHA1
4391721e7faca6779b0364c3f78f260e87d998b9

SHA256
fd5c6bb96e11b0f4dec4b151cd089faf288931a148bedbfc471c493d49a569c5

SHA512
6574562765a093bc804cc61ccb506ffc6e66f9ec63f0312bed4985ef84a551b7f91684636615714a910297e4b65efa48ac8c23978073cb9eadbb5d736d48685c

Download Submit
memory/1080-22-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/1080-9-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1080-11-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/1080-12-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/1080-19-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/1080-0-0x0000000010000000-0x00000000102F8000-memory.dmp

Filesize
3.0MB

Download
memory/1080-21-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/1080-20-0x0000000004300000-0x0000000004302000-memory.dmp

Filesize
8KB

Download
memory/1080-18-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/1080-17-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/1080-16-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1080-15-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1080-13-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/1080-3-0x0000000010000000-0x00000000102F8000-memory.dmp

Filesize
3.0MB

Download
memory/1080-8-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/1080-7-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/1080-31-0x0000000010000000-0x00000000102F8000-memory.dmp

Filesize
3.0MB

Download
memory/1080-33-0x0000000004260000-0x0000000004262000-memory.dmp

Filesize
8KB

Download
memory/1080-6-0x0000000004020000-0x0000000004022000-memory.dmp

Filesize
8KB

Download
memory/1080-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1080-32-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1080-2-0x0000000001B20000-0x0000000001C13000-memory.dmp

Filesize
972KB

Download
memory/1080-4-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/1080-10-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1368-84-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1368-90-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1788-53-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-39-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-63-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-37-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-41-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-44-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-47-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1788-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1788-50-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1964-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1964-82-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1964-104-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1964-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1964-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1964-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1964-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1964-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2932-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2932-61-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download