34236e767db90d8f0754cf71e77ca17cc65a1cc5890402a532758718da03afb6

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

565dce884c9975a9b297c1cc7a858cca.exe
Size

183KB
MD5

565dce884c9975a9b297c1cc7a858cca
SHA1

7539ada7c6f844c8dec0beaf7748130e0f274f10
SHA256

34236e767db90d8f0754cf71e77ca17cc65a1cc5890402a532758718da03afb6
SHA512

51ca735bbac617d195442fa2fd8922f1665d68012b12a7f8c44f305da57ceba2b6a885720991847e0a3aa6954ce76fc35cc98681c17d24e67a7a0cb2a43842b8
SSDEEP

3072:9MSncRzAOcNb3mML5dxNqOooCoDErB0nyde/xTBLfhv:eSncRlcNbl5dLDEBAyUp

Score

7^/10

evasion

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	565dce884c9975a9b297c1cc7a858cca.exe

Executes dropped EXE 3 IoCs

pid	Process
396	1.EXE
4628	123.EXE
744	123.EXE

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	123.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 744	4628	123.EXE	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4552	396	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	123.EXE
4628	123.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 396	1556	565dce884c9975a9b297c1cc7a858cca.exe	89
PID 1556 wrote to memory of 396	1556	565dce884c9975a9b297c1cc7a858cca.exe	89
PID 1556 wrote to memory of 396	1556	565dce884c9975a9b297c1cc7a858cca.exe	89
PID 1556 wrote to memory of 4628	1556	565dce884c9975a9b297c1cc7a858cca.exe	90
PID 1556 wrote to memory of 4628	1556	565dce884c9975a9b297c1cc7a858cca.exe	90
PID 1556 wrote to memory of 4628	1556	565dce884c9975a9b297c1cc7a858cca.exe	90
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101
PID 4628 wrote to memory of 744	4628	123.EXE	101

C:\Users\Admin\AppData\Local\Temp\565dce884c9975a9b297c1cc7a858cca.exe
"C:\Users\Admin\AppData\Local\Temp\565dce884c9975a9b297c1cc7a858cca.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\1.EXE
  "C:\Users\Admin\AppData\Local\Temp\1.EXE"
  2⤵
  - Executes dropped EXE
  PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 644
    3⤵
    - Program crash
    PID:4552
- C:\Users\Admin\AppData\Local\Temp\123.EXE
  "C:\Users\Admin\AppData\Local\Temp\123.EXE"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\123.EXE
    C:\Users\Admin\AppData\Local\Temp\123.EXE
    3⤵
    - Executes dropped EXE
    PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 396 -ip 396
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.EXE

Filesize
18KB

MD5
79e40b94e774e1ce436b328ee5c33ee9

SHA1
460acf7ce5bcf03a168f892f1e52c90d143e7258

SHA256
1f3db9f654ee52cac88b84605aa2bb22488635ba1b0a8cf9dea8c95e8a2b366a

SHA512
8a8806fc2ba0344b6839d42783a1f564adccfeafa50eb38b84d3c25672fcd7b070de385d1caa37fb5c340330de0c4b35a286fdf2d3513faedf813d0def31e69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.EXE

Filesize
112KB

MD5
4d032927c61f3e001137125e558b1864

SHA1
ee14b3ddc41134a60741b58606eab8e31cca70b3

SHA256
cd559607ff3a62d8efc43296939e5d19e0921d332af5603c64f99d6f112fa1cd

SHA512
d3a7781d3e0cf1dee1de8d9bc07e62a1eeddacda75342920e50cc32d9f661cb54b5f06a9f1bbd61fc652753f0a8a35ab3453d757383000a5032ece069396fa8e

Download Submit
memory/744-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/744-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/744-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/744-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download