34236e767db90d8f0754cf71e77ca17cc65a1cc5890402a532758718da03afb6

General

Target

565dce884c9975a9b297c1cc7a858cca.exe
Size

183KB
MD5

565dce884c9975a9b297c1cc7a858cca
SHA1

7539ada7c6f844c8dec0beaf7748130e0f274f10
SHA256

34236e767db90d8f0754cf71e77ca17cc65a1cc5890402a532758718da03afb6
SHA512

51ca735bbac617d195442fa2fd8922f1665d68012b12a7f8c44f305da57ceba2b6a885720991847e0a3aa6954ce76fc35cc98681c17d24e67a7a0cb2a43842b8
SSDEEP

3072:9MSncRzAOcNb3mML5dxNqOooCoDErB0nyde/xTBLfhv:eSncRlcNbl5dLDEBAyUp

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3056	1.EXE
2676	123.EXE
2852	123.EXE

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	123.EXE

Loads dropped DLL 4 IoCs

pid	Process
2088	565dce884c9975a9b297c1cc7a858cca.exe
2088	565dce884c9975a9b297c1cc7a858cca.exe
2088	565dce884c9975a9b297c1cc7a858cca.exe
2676	123.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2852	2676	123.EXE	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2676	123.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3056	2088	565dce884c9975a9b297c1cc7a858cca.exe	28
PID 2088 wrote to memory of 3056	2088	565dce884c9975a9b297c1cc7a858cca.exe	28
PID 2088 wrote to memory of 3056	2088	565dce884c9975a9b297c1cc7a858cca.exe	28
PID 2088 wrote to memory of 3056	2088	565dce884c9975a9b297c1cc7a858cca.exe	28
PID 2088 wrote to memory of 2676	2088	565dce884c9975a9b297c1cc7a858cca.exe	29
PID 2088 wrote to memory of 2676	2088	565dce884c9975a9b297c1cc7a858cca.exe	29
PID 2088 wrote to memory of 2676	2088	565dce884c9975a9b297c1cc7a858cca.exe	29
PID 2088 wrote to memory of 2676	2088	565dce884c9975a9b297c1cc7a858cca.exe	29
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30
PID 2676 wrote to memory of 2852	2676	123.EXE	30

C:\Users\Admin\AppData\Local\Temp\565dce884c9975a9b297c1cc7a858cca.exe
"C:\Users\Admin\AppData\Local\Temp\565dce884c9975a9b297c1cc7a858cca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\1.EXE
  "C:\Users\Admin\AppData\Local\Temp\1.EXE"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\123.EXE
  "C:\Users\Admin\AppData\Local\Temp\123.EXE"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\123.EXE
    C:\Users\Admin\AppData\Local\Temp\123.EXE
    3⤵
    - Executes dropped EXE
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.EXE

Filesize
18KB

MD5
79e40b94e774e1ce436b328ee5c33ee9

SHA1
460acf7ce5bcf03a168f892f1e52c90d143e7258

SHA256
1f3db9f654ee52cac88b84605aa2bb22488635ba1b0a8cf9dea8c95e8a2b366a

SHA512
8a8806fc2ba0344b6839d42783a1f564adccfeafa50eb38b84d3c25672fcd7b070de385d1caa37fb5c340330de0c4b35a286fdf2d3513faedf813d0def31e69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.EXE

Filesize
112KB

MD5
4d032927c61f3e001137125e558b1864

SHA1
ee14b3ddc41134a60741b58606eab8e31cca70b3

SHA256
cd559607ff3a62d8efc43296939e5d19e0921d332af5603c64f99d6f112fa1cd

SHA512
d3a7781d3e0cf1dee1de8d9bc07e62a1eeddacda75342920e50cc32d9f661cb54b5f06a9f1bbd61fc652753f0a8a35ab3453d757383000a5032ece069396fa8e

Download Submit
\Users\Admin\AppData\Local\Temp\123.EXE

Filesize
105KB

MD5
c2eec11957911bebac1eeacbc62a7a6e

SHA1
daf1069762a8036cf3966b7b6ff2509935173210

SHA256
e7848b2b51000fa73e84676b8cf59c8786e5fd80a66a09673ff75cb05aa12f1d

SHA512
2799db51bb9842333288d7c7b44a126b17e0adeb3fd67e83464ab42001fb23f4566a3337d2155d5dafad5de29f41d9cb2d111e914c29cc991ddda288f971c4bc

Download Submit
memory/2852-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-26-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2852-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3056-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3056-16-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/3056-37-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads