3bb8b9fdb9d9b8b4d3b13e0165f9719f0bc684863a884ddc24e4d0b72c7dcf27

Analysis

max time kernel
60s
max time network
34s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b8b0fb8d50bf1ee9e51c3173724bb1.exe
Size

1.5MB
MD5

24b8b0fb8d50bf1ee9e51c3173724bb1
SHA1

87f7fa42a267089b9165d96a618acf785f1fc254
SHA256

3bb8b9fdb9d9b8b4d3b13e0165f9719f0bc684863a884ddc24e4d0b72c7dcf27
SHA512

988d28c30c0ff91b319155021a4c625e7819dcf3280e2a31cfe7c21a8b453dff7e59df7459ba331cc032829cf6230722bcad97f56ea0b1ca1bad12b6fa6dc58d
SSDEEP

24576:cOvJxxAOb+LxXfpJHodLgTlrxrpuLTzLxJuCkCQI7udBFwmcT4KJmGv0Y3:cojAOYfpxoNC7etwFCQS8XI1JmGMa

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Wine	24b8b0fb8d50bf1ee9e51c3173724bb1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe
2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1188	2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe	11
PID 2252 wrote to memory of 1188	2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe	11
PID 2252 wrote to memory of 1188	2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe	11
PID 2252 wrote to memory of 1188	2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe	11
PID 2252 wrote to memory of 1188	2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe	11
PID 2252 wrote to memory of 1188	2252	24b8b0fb8d50bf1ee9e51c3173724bb1.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\24b8b0fb8d50bf1ee9e51c3173724bb1.exe
  "C:\Users\Admin\AppData\Local\Temp\24b8b0fb8d50bf1ee9e51c3173724bb1.exe"
  2⤵
  - Identifies Wine through registry keys
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-7-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1188-13-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/2252-0-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2252-2-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000001E40000-0x0000000001F8E000-memory.dmp

Filesize
1.3MB

Download
memory/2252-4-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2252-3-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2252-5-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2252-25-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2252-26-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download