Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 13:46
Behavioral task
behavioral1
Sample
5b64beac3ccc5e930abc126acb321f69.exe
Resource
win7-20231215-en
General
-
Target
5b64beac3ccc5e930abc126acb321f69.exe
-
Size
1.4MB
-
MD5
5b64beac3ccc5e930abc126acb321f69
-
SHA1
af5e1e302babb0c8ace3b32e62939b5a384fc995
-
SHA256
f28ab8cbbb965f2322c5d9f027ce225fef5711a3d39bbc346a225e889e15c927
-
SHA512
f12b15c0cb36d4b44ea808656a0e5d047a439951f78ef4d5f9ccac7c2a58bea0c9e7ba964a8b0e265202e39c3f6bf8ebd8ee70b2d731bc9765a10af22ff94730
-
SSDEEP
24576:yUWfZRRQEuIrvUhrTNn9MLATTajzu7fBCd8IGDlKSwwrTEzy1xeFSWQ01i2ZuhTT:tWb9qrTrTTE6rlQSwwrQzyDN+i2qd
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 16 IoCs
resource yara_rule behavioral1/memory/616-10-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/616-149-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/2260-151-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/2260-284-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/2260-288-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/2260-292-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1692-410-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1692-428-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1692-434-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/2324-554-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1796-673-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/2276-792-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1512-911-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1820-1030-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/1556-1149-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 behavioral1/memory/472-1268-0x0000000000400000-0x00000000007BB000-memory.dmp family_lumma_v4 -
Modifies security service 2 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
pid Process 2260 sound.exe 1692 sound.exe 2324 sound.exe 1796 sound.exe 2276 sound.exe 1512 sound.exe 1820 sound.exe 1556 sound.exe 472 sound.exe 1756 sound.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine 5b64beac3ccc5e930abc126acb321f69.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine sound.exe -
Loads dropped DLL 20 IoCs
pid Process 616 5b64beac3ccc5e930abc126acb321f69.exe 616 5b64beac3ccc5e930abc126acb321f69.exe 2260 sound.exe 2260 sound.exe 1692 sound.exe 1692 sound.exe 2324 sound.exe 2324 sound.exe 1796 sound.exe 1796 sound.exe 2276 sound.exe 2276 sound.exe 1512 sound.exe 1512 sound.exe 1820 sound.exe 1820 sound.exe 1556 sound.exe 1556 sound.exe 472 sound.exe 472 sound.exe -
resource yara_rule behavioral1/memory/616-0-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/616-10-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/files/0x0008000000019312-137.dat themida behavioral1/memory/2260-146-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/616-149-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/616-144-0x0000000004B50000-0x0000000004F0B000-memory.dmp themida behavioral1/files/0x0008000000019312-143.dat themida behavioral1/files/0x0008000000019312-187.dat themida behavioral1/memory/2260-151-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/2260-284-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/2260-288-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1692-294-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/2260-292-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1692-410-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1692-428-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1692-434-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/2324-554-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1796-673-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/files/0x0008000000019312-790.dat themida behavioral1/files/0x0008000000019312-789.dat themida behavioral1/memory/2276-792-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1512-911-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1820-1030-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/1556-1149-0x0000000000400000-0x00000000007BB000-memory.dmp themida behavioral1/memory/472-1268-0x0000000000400000-0x00000000007BB000-memory.dmp themida -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File opened for modification C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe sound.exe File created C:\Windows\SysWOW64\sound.exe 5b64beac3ccc5e930abc126acb321f69.exe File opened for modification C:\Windows\SysWOW64\sound.exe 5b64beac3ccc5e930abc126acb321f69.exe File created C:\Windows\SysWOW64\sound.exe sound.exe -
Runs .reg file with regedit 11 IoCs
pid Process 1720 regedit.exe 2820 regedit.exe 3048 regedit.exe 2192 regedit.exe 2040 regedit.exe 1720 regedit.exe 3068 regedit.exe 2500 regedit.exe 2944 regedit.exe 864 regedit.exe 1892 regedit.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 616 5b64beac3ccc5e930abc126acb321f69.exe 2260 sound.exe 1692 sound.exe 2324 sound.exe 1796 sound.exe 2276 sound.exe 1512 sound.exe 1820 sound.exe 1556 sound.exe 472 sound.exe 1756 sound.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 616 wrote to memory of 2792 616 5b64beac3ccc5e930abc126acb321f69.exe 28 PID 616 wrote to memory of 2792 616 5b64beac3ccc5e930abc126acb321f69.exe 28 PID 616 wrote to memory of 2792 616 5b64beac3ccc5e930abc126acb321f69.exe 28 PID 616 wrote to memory of 2792 616 5b64beac3ccc5e930abc126acb321f69.exe 28 PID 2792 wrote to memory of 2192 2792 cmd.exe 30 PID 2792 wrote to memory of 2192 2792 cmd.exe 30 PID 2792 wrote to memory of 2192 2792 cmd.exe 30 PID 2792 wrote to memory of 2192 2792 cmd.exe 30 PID 616 wrote to memory of 2260 616 5b64beac3ccc5e930abc126acb321f69.exe 29 PID 616 wrote to memory of 2260 616 5b64beac3ccc5e930abc126acb321f69.exe 29 PID 616 wrote to memory of 2260 616 5b64beac3ccc5e930abc126acb321f69.exe 29 PID 616 wrote to memory of 2260 616 5b64beac3ccc5e930abc126acb321f69.exe 29 PID 2260 wrote to memory of 2868 2260 sound.exe 31 PID 2260 wrote to memory of 2868 2260 sound.exe 31 PID 2260 wrote to memory of 2868 2260 sound.exe 31 PID 2260 wrote to memory of 2868 2260 sound.exe 31 PID 2868 wrote to memory of 864 2868 cmd.exe 32 PID 2868 wrote to memory of 864 2868 cmd.exe 32 PID 2868 wrote to memory of 864 2868 cmd.exe 32 PID 2868 wrote to memory of 864 2868 cmd.exe 32 PID 2260 wrote to memory of 1692 2260 sound.exe 33 PID 2260 wrote to memory of 1692 2260 sound.exe 33 PID 2260 wrote to memory of 1692 2260 sound.exe 33 PID 2260 wrote to memory of 1692 2260 sound.exe 33 PID 1692 wrote to memory of 2684 1692 sound.exe 34 PID 1692 wrote to memory of 2684 1692 sound.exe 34 PID 1692 wrote to memory of 2684 1692 sound.exe 34 PID 1692 wrote to memory of 2684 1692 sound.exe 34 PID 2684 wrote to memory of 2040 2684 cmd.exe 35 PID 2684 wrote to memory of 2040 2684 cmd.exe 35 PID 2684 wrote to memory of 2040 2684 cmd.exe 35 PID 2684 wrote to memory of 2040 2684 cmd.exe 35 PID 1692 wrote to memory of 2324 1692 sound.exe 36 PID 1692 wrote to memory of 2324 1692 sound.exe 36 PID 1692 wrote to memory of 2324 1692 sound.exe 36 PID 1692 wrote to memory of 2324 1692 sound.exe 36 PID 2324 wrote to memory of 2972 2324 sound.exe 39 PID 2324 wrote to memory of 2972 2324 sound.exe 39 PID 2324 wrote to memory of 2972 2324 sound.exe 39 PID 2324 wrote to memory of 2972 2324 sound.exe 39 PID 2972 wrote to memory of 1892 2972 cmd.exe 40 PID 2972 wrote to memory of 1892 2972 cmd.exe 40 PID 2972 wrote to memory of 1892 2972 cmd.exe 40 PID 2972 wrote to memory of 1892 2972 cmd.exe 40 PID 2324 wrote to memory of 1796 2324 sound.exe 41 PID 2324 wrote to memory of 1796 2324 sound.exe 41 PID 2324 wrote to memory of 1796 2324 sound.exe 41 PID 2324 wrote to memory of 1796 2324 sound.exe 41 PID 1796 wrote to memory of 2656 1796 sound.exe 42 PID 1796 wrote to memory of 2656 1796 sound.exe 42 PID 1796 wrote to memory of 2656 1796 sound.exe 42 PID 1796 wrote to memory of 2656 1796 sound.exe 42 PID 2656 wrote to memory of 1720 2656 cmd.exe 43 PID 2656 wrote to memory of 1720 2656 cmd.exe 43 PID 2656 wrote to memory of 1720 2656 cmd.exe 43 PID 2656 wrote to memory of 1720 2656 cmd.exe 43 PID 1796 wrote to memory of 2276 1796 sound.exe 44 PID 1796 wrote to memory of 2276 1796 sound.exe 44 PID 1796 wrote to memory of 2276 1796 sound.exe 44 PID 1796 wrote to memory of 2276 1796 sound.exe 44 PID 2276 wrote to memory of 2728 2276 sound.exe 45 PID 2276 wrote to memory of 2728 2276 sound.exe 45 PID 2276 wrote to memory of 2728 2276 sound.exe 45 PID 2276 wrote to memory of 2728 2276 sound.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b64beac3ccc5e930abc126acb321f69.exe"C:\Users\Admin\AppData\Local\Temp\5b64beac3ccc5e930abc126acb321f69.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
PID:2192
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 708 "C:\Users\Admin\AppData\Local\Temp\5b64beac3ccc5e930abc126acb321f69.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:864
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 716 "C:\Windows\SysWOW64\sound.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
PID:2040
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 724 "C:\Windows\SysWOW64\sound.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
PID:1892
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 720 "C:\Windows\SysWOW64\sound.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
PID:1720
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 732 "C:\Windows\SysWOW64\sound.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵PID:2728
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
PID:2820
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 736 "C:\Windows\SysWOW64\sound.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1512 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵PID:864
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
PID:1720
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 740 "C:\Windows\SysWOW64\sound.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1820 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵PID:2704
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 728 "C:\Windows\SysWOW64\sound.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1556 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵PID:1040
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
PID:2500
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 744 "C:\Windows\SysWOW64\sound.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:472 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵PID:2920
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
PID:3048
-
-
-
C:\Windows\SysWOW64\sound.exeC:\Windows\system32\sound.exe 748 "C:\Windows\SysWOW64\sound.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵PID:2664
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Modifies security service
- Runs .reg file with regedit
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
2KB
MD5d8be0d42e512d922804552250f01eb90
SHA1cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97
-
Filesize
1.1MB
MD586d4033ebb1c5d06cef3d63fd0f24790
SHA158760d76fa8caf84ec0e58529ded32e8e02eb1f2
SHA256804a5ef5292cb0dfb93292de582b52c23aaf95bf28142953fa2d3a84a2947155
SHA51216147bd9148f5778a075056bfb1d8f1a8839e31bff387d917ed9d1bbd626f8b50a588db60019fad12966b0722d9812007a5f1bc8985456cc5988b387fd13b2aa
-
Filesize
513KB
MD51801590458979467498505e379109ec3
SHA11889764d4d9a35444985de8d13208a93abd218a4
SHA25636098098f63c2d323273db2728f4f280be6f7a20641fdaf5599a7322a75a7ca6
SHA51225430d8839c6a57bd5a081dc10e67e47ed21649accc4a3c98335d0f9b6d11a60f4ed9b72dc06bce5016bd14e41a14e5f5f4964601d2815a77cdd772631cbb5ae
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
1.4MB
MD55b64beac3ccc5e930abc126acb321f69
SHA1af5e1e302babb0c8ace3b32e62939b5a384fc995
SHA256f28ab8cbbb965f2322c5d9f027ce225fef5711a3d39bbc346a225e889e15c927
SHA512f12b15c0cb36d4b44ea808656a0e5d047a439951f78ef4d5f9ccac7c2a58bea0c9e7ba964a8b0e265202e39c3f6bf8ebd8ee70b2d731bc9765a10af22ff94730
-
Filesize
4KB
MD52456392ab2729f60fbb88b275163a235
SHA19d4a772c4de1ac5f1076f3e4d63bd0bf0baa8560
SHA256766efbcc213ee708856648f4f0f51cdcea1bd5e2223af9ae0f6d1932f03e9680
SHA512f010e4ef8f9c0f660ea99de032be19d77eec24d548e8c2b9f06cbb71188c2f832c19ca27fb93d11aec547405db6c5c519f15d9dd36d4c54ce32fc8635df23dbe