700762ce4332608df6077f688e52a6f173b44f27d55b8ad9b94373f58b604f8b

Analysis

max time kernel
45s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bd189fa981a2c4c493a6689a0c4405e.exe
Size

424KB
MD5

3bd189fa981a2c4c493a6689a0c4405e
SHA1

f1d5a5c54c241c8b899fdaee9199221faf8d55db
SHA256

700762ce4332608df6077f688e52a6f173b44f27d55b8ad9b94373f58b604f8b
SHA512

4fd48d1d09238c6a81958b2999d3774a8927458c3174bb1526577636120d93626f4aeef7c615105e57359d72ad718b4fc0fd96f6b0c0b6b4316ffb631813d1fd
SSDEEP

12288:XTpKfPdYo/zz/3ZHSCMvsl2mnlnOVRPMRG:alJ/xSCM0HZlRG

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1724	msn.exe
2280	msn.exe
2084	msn.exe
576	msn.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	3bd189fa981a2c4c493a6689a0c4405e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	msn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	msn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	msn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	msn.exe

Loads dropped DLL 8 IoCs

pid	Process
2028	3bd189fa981a2c4c493a6689a0c4405e.exe
2028	3bd189fa981a2c4c493a6689a0c4405e.exe
1724	msn.exe
1724	msn.exe
2280	msn.exe
2280	msn.exe
2084	msn.exe
2084	msn.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msn.exe	msn.exe
File created	C:\Windows\SysWOW64\msn.exe	msn.exe
File opened for modification	C:\Windows\SysWOW64\msn.exe	msn.exe
File created	C:\Windows\SysWOW64\msn.exe	msn.exe
File opened for modification	C:\Windows\SysWOW64\msn.exe	msn.exe
File created	C:\Windows\SysWOW64\msn.exe	msn.exe
File created	C:\Windows\SysWOW64\msn.exe	3bd189fa981a2c4c493a6689a0c4405e.exe
File opened for modification	C:\Windows\SysWOW64\msn.exe	3bd189fa981a2c4c493a6689a0c4405e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1724	2028	3bd189fa981a2c4c493a6689a0c4405e.exe	15
PID 2028 wrote to memory of 1724	2028	3bd189fa981a2c4c493a6689a0c4405e.exe	15
PID 2028 wrote to memory of 1724	2028	3bd189fa981a2c4c493a6689a0c4405e.exe	15
PID 2028 wrote to memory of 1724	2028	3bd189fa981a2c4c493a6689a0c4405e.exe	15
PID 1724 wrote to memory of 2280	1724	msn.exe	29
PID 1724 wrote to memory of 2280	1724	msn.exe	29
PID 1724 wrote to memory of 2280	1724	msn.exe	29
PID 1724 wrote to memory of 2280	1724	msn.exe	29
PID 2280 wrote to memory of 2084	2280	msn.exe	30
PID 2280 wrote to memory of 2084	2280	msn.exe	30
PID 2280 wrote to memory of 2084	2280	msn.exe	30
PID 2280 wrote to memory of 2084	2280	msn.exe	30
PID 2084 wrote to memory of 576	2084	msn.exe	31
PID 2084 wrote to memory of 576	2084	msn.exe	31
PID 2084 wrote to memory of 576	2084	msn.exe	31
PID 2084 wrote to memory of 576	2084	msn.exe	31

C:\Users\Admin\AppData\Local\Temp\3bd189fa981a2c4c493a6689a0c4405e.exe
"C:\Users\Admin\AppData\Local\Temp\3bd189fa981a2c4c493a6689a0c4405e.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\msn.exe
  C:\Windows\system32\msn.exe 656 "C:\Users\Admin\AppData\Local\Temp\3bd189fa981a2c4c493a6689a0c4405e.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\msn.exe
    C:\Windows\system32\msn.exe 696 "C:\Windows\SysWOW64\msn.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\msn.exe
      C:\Windows\system32\msn.exe 688 "C:\Windows\SysWOW64\msn.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 700 "C:\Windows\SysWOW64\msn.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:576
      - C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 704 "C:\Windows\SysWOW64\msn.exe"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 712 "C:\Windows\SysWOW64\msn.exe"
        7⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 716 "C:\Windows\SysWOW64\msn.exe"
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 708 "C:\Windows\SysWOW64\msn.exe"
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 720 "C:\Windows\SysWOW64\msn.exe"
        10⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\msn.exe
        
        C:\Windows\system32\msn.exe 724 "C:\Windows\SysWOW64\msn.exe"
        11⤵
        
        PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msn.exe

Filesize
424KB

MD5
3bd189fa981a2c4c493a6689a0c4405e

SHA1
f1d5a5c54c241c8b899fdaee9199221faf8d55db

SHA256
700762ce4332608df6077f688e52a6f173b44f27d55b8ad9b94373f58b604f8b

SHA512
4fd48d1d09238c6a81958b2999d3774a8927458c3174bb1526577636120d93626f4aeef7c615105e57359d72ad718b4fc0fd96f6b0c0b6b4316ffb631813d1fd

Download Submit
memory/576-120-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1724-38-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/1724-37-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/1724-42-0x0000000003C70000-0x0000000003C72000-memory.dmp

Filesize
8KB

Download
memory/1724-46-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/1724-51-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1724-41-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/1724-40-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/1724-39-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/1724-47-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1724-43-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/1724-36-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/1724-35-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1724-34-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/1724-33-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1724-32-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/1724-31-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/1724-30-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/1724-29-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1724-27-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1868-214-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2028-0-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2028-18-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/2028-11-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2028-10-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2028-9-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2028-8-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2028-7-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/2028-6-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/2028-4-0x0000000003D10000-0x0000000003D12000-memory.dmp

Filesize
8KB

Download
memory/2028-3-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2028-13-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2028-17-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/2028-45-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2028-28-0x00000000047C0000-0x0000000004906000-memory.dmp

Filesize
1.3MB

Download
memory/2028-26-0x00000000047C0000-0x0000000004906000-memory.dmp

Filesize
1.3MB

Download
memory/2028-12-0x0000000003CB0000-0x0000000003CB2000-memory.dmp

Filesize
8KB

Download
memory/2084-79-0x0000000003C00000-0x0000000003C02000-memory.dmp

Filesize
8KB

Download
memory/2084-75-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2084-94-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2084-77-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2084-78-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/2084-80-0x0000000003D10000-0x0000000003D12000-memory.dmp

Filesize
8KB

Download
memory/2084-81-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/2084-82-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2084-83-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2084-84-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2280-56-0x0000000003D10000-0x0000000003D12000-memory.dmp

Filesize
8KB

Download
memory/2280-64-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2280-53-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2280-69-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2280-70-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2280-55-0x0000000000880000-0x0000000000882000-memory.dmp

Filesize
8KB

Download
memory/2280-68-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2280-57-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/2280-58-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2280-59-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/2280-60-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2280-54-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2280-61-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2280-62-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2280-76-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2280-74-0x00000000046D0000-0x0000000004816000-memory.dmp

Filesize
1.3MB

Download
memory/2280-63-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2280-65-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2280-52-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2280-66-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2472-238-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2564-192-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2816-167-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/3020-142-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads