Overview

overview

7

Static

static

3

443222f1d8...28.exe

windows7-x64

7

443222f1d8...28.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2024, 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    443222f1d827e61fb4b73c1fae9a0528.exe

  • Size

    180KB

  • MD5

    443222f1d827e61fb4b73c1fae9a0528

  • SHA1

    2207d75e418b4821a5d44f6e954d3d1119be47fb

  • SHA256

    f0250e1f1157b212aab1af9c8082ffae5638f8f6140ebe1133e4b31502458d85

  • SHA512

    03a3b2e1fcc94a99c23cf52c47715d3fb24716f520dde01101488effd37190dbb460312a88008cc81cd9ab209203aa1d0115bbd5f61b530c5156cbe68b6f73e3

  • SSDEEP

    3072:D4HThZOlTPKBqpKKOx+LpnGKEqFdH0eJ9E7KHnFhOwJTb:D4tZuP/pJOsFnGlw9fJ9EgFJf

Score
7/10
evasion

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3524
      • C:\Users\Admin\AppData\Local\Temp\443222f1d827e61fb4b73c1fae9a0528.exe
        "C:\Users\Admin\AppData\Local\Temp\443222f1d827e61fb4b73c1fae9a0528.exe"
        2⤵
        • Identifies Wine through registry keys
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Users\Admin\AppData\Local\Temp\443222f1d827e61fb4b73c1fae9a0528.exe
          C:\Users\Admin\AppData\Local\Temp\443222f1d827e61fb4b73c1fae9a0528.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1860-14-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1860-16-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1860-18-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1860-20-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1860-25-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1860-28-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3112-0-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3112-17-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3524-21-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3524-22-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

      Filesize

      4KB

      Download