f5084f292d647ae69a0922f689b2328d39f637135ae3282ec2cef6baca38211f

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23246a3acadfd45f89fc3428246fef7e.exe
Size

464KB
MD5

23246a3acadfd45f89fc3428246fef7e
SHA1

1b86d30f64e315200bb4f00b703a1d613a2abf48
SHA256

f5084f292d647ae69a0922f689b2328d39f637135ae3282ec2cef6baca38211f
SHA512

0a27554c0d074f29b4032d7d2e6d4db2a151b19eb1485b310158cc3d9107e14cca94135d29e37ab092fdce09505da6db6f22efac9bba84e508067e5570547072
SSDEEP

6144:8UHZdhk2joAg1MP3rq11wF5Nr3gSD3Wez0aiJSv4pXmwNxNWBiVHQgykozWKecAm:5ZkEDg1MfIwdwSDWez/vOzxNlwgP3K

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2256	fixweb.exe
2748	fixweb.exe
1124	fixweb.exe
1768	fixweb.exe
1760	fixweb.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	23246a3acadfd45f89fc3428246fef7e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	fixweb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	fixweb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	fixweb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	fixweb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	fixweb.exe

Loads dropped DLL 10 IoCs

pid	Process
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2256	fixweb.exe
2256	fixweb.exe
2748	fixweb.exe
2748	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1768	fixweb.exe
1768	fixweb.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fixweb.exe	23246a3acadfd45f89fc3428246fef7e.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	23246a3acadfd45f89fc3428246fef7e.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2408	23246a3acadfd45f89fc3428246fef7e.exe
2256	fixweb.exe
2256	fixweb.exe
2256	fixweb.exe
2256	fixweb.exe
2256	fixweb.exe
2256	fixweb.exe
2748	fixweb.exe
2748	fixweb.exe
2748	fixweb.exe
2748	fixweb.exe
2748	fixweb.exe
2748	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1124	fixweb.exe
1768	fixweb.exe
1768	fixweb.exe
1768	fixweb.exe
1768	fixweb.exe
1768	fixweb.exe
1768	fixweb.exe
1760	fixweb.exe
1760	fixweb.exe
1760	fixweb.exe
1760	fixweb.exe
1760	fixweb.exe
1760	fixweb.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2256	2408	23246a3acadfd45f89fc3428246fef7e.exe	28
PID 2408 wrote to memory of 2256	2408	23246a3acadfd45f89fc3428246fef7e.exe	28
PID 2408 wrote to memory of 2256	2408	23246a3acadfd45f89fc3428246fef7e.exe	28
PID 2408 wrote to memory of 2256	2408	23246a3acadfd45f89fc3428246fef7e.exe	28
PID 2256 wrote to memory of 2748	2256	fixweb.exe	29
PID 2256 wrote to memory of 2748	2256	fixweb.exe	29
PID 2256 wrote to memory of 2748	2256	fixweb.exe	29
PID 2256 wrote to memory of 2748	2256	fixweb.exe	29
PID 2748 wrote to memory of 1124	2748	fixweb.exe	32
PID 2748 wrote to memory of 1124	2748	fixweb.exe	32
PID 2748 wrote to memory of 1124	2748	fixweb.exe	32
PID 2748 wrote to memory of 1124	2748	fixweb.exe	32
PID 1124 wrote to memory of 1768	1124	fixweb.exe	33
PID 1124 wrote to memory of 1768	1124	fixweb.exe	33
PID 1124 wrote to memory of 1768	1124	fixweb.exe	33
PID 1124 wrote to memory of 1768	1124	fixweb.exe	33
PID 1768 wrote to memory of 1760	1768	fixweb.exe	34
PID 1768 wrote to memory of 1760	1768	fixweb.exe	34
PID 1768 wrote to memory of 1760	1768	fixweb.exe	34
PID 1768 wrote to memory of 1760	1768	fixweb.exe	34

C:\Users\Admin\AppData\Local\Temp\23246a3acadfd45f89fc3428246fef7e.exe
"C:\Users\Admin\AppData\Local\Temp\23246a3acadfd45f89fc3428246fef7e.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\fixweb.exe
  C:\Windows\system32\fixweb.exe -bai C:\Users\Admin\AppData\Local\Temp\23246a3acadfd45f89fc3428246fef7e.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\fixweb.exe
    C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\fixweb.exe
      C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\fixweb.exe
        
        C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\SysWOW64\fixweb.exe
        
        C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fixweb.exe

Filesize
91KB

MD5
a6e1422ff4c26fc5e8c30a35bc999b4e

SHA1
7b0d38b9fdcc31ebd163d9f46cf744e6c130da54

SHA256
8444e64961bd1e230b1d102390b778ea7794af4d02b35576016b8703d05cda2e

SHA512
ccb4fe90d1469a8951c223c46c39e2542116b50e7d309983aefbf08cd1909ab4abacc620e4013036a0e6f8b386e04a699f7fb01408f8ddb4257c7de01f81989e

Download Submit
\Windows\SysWOW64\fixweb.exe

Filesize
382KB

MD5
7924626b7da4f3f41605cddb1ea65bf0

SHA1
640c6489f535de55ebcd0606e9e7ff1a43b738ca

SHA256
0b017e504eaa70df1d518d4b40f1095dbbc9e034e2a9a9e970ab70955f133970

SHA512
67f802e851c910094aa453a05057ef53a1aefff7fa7f877c5320c52c356dfc4b8c8af689bf30ad6f582a6dbd2b1956b1a7ea571451270c2f844d6a220e4fd269

Download Submit
\Windows\SysWOW64\fixweb.exe

Filesize
90KB

MD5
2794c153ec7c23c281c89436c3b1231e

SHA1
1e489b0db142db4acc5724aeb08284b1736cf314

SHA256
9acacd0a19e27a459fcfb0d65f27c8852fe1d6f908197c76f713480386b6ca2a

SHA512
a11cc6b00a35ed2b8675e942138d811ab896b4087014c2eb0bd0fcfdc08ba3c7077ac05e2d913d4c7a3b0469fbb4dbd920a3696ce05dd6d596b26c78f1973794

Download Submit
\Windows\SysWOW64\fixweb.exe

Filesize
33KB

MD5
9836c718111b265fccbb0d3318c880bf

SHA1
0f36934c2622e8f45f93893e1f7ca32fe3ccfd1a

SHA256
028ccaf79c5e29b2f60de897bd0de5bd90b8d142577267a54c5c22631e5740ab

SHA512
26776efe918309c84e8cc8da9ce57c3c2e120915fa45ee30b06adb32194bb31bc97f894e9fcc3088b9942213f39f102c084ca2c393d8d33d380f5251a303893b

Download Submit
\Windows\SysWOW64\fixweb.exe

Filesize
42KB

MD5
559d6a2f4d5fa5b7f5ab17eea3dbe81d

SHA1
ac3ec3b7c0aac5d0e01e5c144d3dcb31285e0046

SHA256
58471ae7b2be122b6bc129bf41a5fbb6bf73bc0fb2ad3a718d1837807308f666

SHA512
083af669367630781bfad32c204a86ab5094b2e0c11dfee8766e82714df2d3d9a4b9c2756b4930f0a12a880213f667df18315e66b3be0a3be5ff9c7fc9281fca

Download Submit
\Windows\SysWOW64\fixweb.exe

Filesize
381KB

MD5
d25dfb2aede70f6d252e80db966fef2e

SHA1
0791a32652fd6d12a0c4ea90923759fca542724b

SHA256
b8816f2ffe4665925d8635aa3803ad272299f500d0653d9f9732e90d47146687

SHA512
b47e613ac7b9707a438630583b397bce805af7f88d23392ad5887a48a4f7cb3357c9472a6539a095785551a3a92fb0cc9bd234bc55cab46f7f1c0d3fa9b8b2d5

Download Submit
memory/1124-76-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/1124-67-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-80-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-84-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-78-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-72-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/1124-70-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/1124-69-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/1124-68-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/1124-81-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-66-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-75-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/1124-71-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1124-79-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1124-77-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/1124-73-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/1124-74-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1760-122-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1760-120-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-90-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1768-105-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-86-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-101-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-99-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-91-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1768-87-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1768-89-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1768-88-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2256-24-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-41-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-40-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-39-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-37-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-34-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2256-35-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2256-36-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/2256-31-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2256-32-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/2256-44-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-25-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2256-26-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/2256-27-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/2256-28-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2256-29-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2256-30-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2256-23-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2408-20-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2408-38-0x0000000004330000-0x000000000451E000-memory.dmp

Filesize
1.9MB

Download
memory/2408-6-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/2408-5-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2408-4-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/2408-3-0x0000000003C90000-0x0000000003C92000-memory.dmp

Filesize
8KB

Download
memory/2408-2-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2408-1-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2408-9-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/2408-8-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2408-7-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2408-22-0x0000000004330000-0x000000000451E000-memory.dmp

Filesize
1.9MB

Download
memory/2408-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2408-19-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/2408-13-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/2408-12-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/2748-64-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-60-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-53-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/2748-52-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2748-51-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2748-50-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/2748-49-0x0000000003C90000-0x0000000003C92000-memory.dmp

Filesize
8KB

Download
memory/2748-48-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2748-47-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-46-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-55-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/2748-54-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2748-57-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/2748-56-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/2748-58-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-59-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2748-61-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download