eb065c08dba31dc3eb278a346750834fe4e48154f751ab7276517aba4b193d45

General

Target

6fdf76d5943d5b8175afd87874080117.exe
Size

598KB
MD5

6fdf76d5943d5b8175afd87874080117
SHA1

4b314819ecde861f3c9c789f80922d8128d254e8
SHA256

eb065c08dba31dc3eb278a346750834fe4e48154f751ab7276517aba4b193d45
SHA512

1424a2c430897d1bafad78f243314daee8ff340bb4355c9181a3d691feba6771a38aa9e2577ebb97b12c786a8c43a69cfb2add45201a08420718f6abefcd44a7
SSDEEP

12288:0pQplXrQaJBOyhm6wrT1h+dfWoAqIqUEW7HuhMwHJ2LQz3GhimV/x:jP7ZBPhOxSWLccWPHILJrVZ

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Wine	6fdf76d5943d5b8175afd87874080117.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2092	6fdf76d5943d5b8175afd87874080117.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2092	6fdf76d5943d5b8175afd87874080117.exe
2940	6fdf76d5943d5b8175afd87874080117.exe
2940	6fdf76d5943d5b8175afd87874080117.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2092 wrote to memory of 2940	2092	6fdf76d5943d5b8175afd87874080117.exe	28
PID 2940 wrote to memory of 1316	2940	6fdf76d5943d5b8175afd87874080117.exe	15
PID 2940 wrote to memory of 1316	2940	6fdf76d5943d5b8175afd87874080117.exe	15
PID 2940 wrote to memory of 1316	2940	6fdf76d5943d5b8175afd87874080117.exe	15
PID 2940 wrote to memory of 1316	2940	6fdf76d5943d5b8175afd87874080117.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\6fdf76d5943d5b8175afd87874080117.exe
  "C:\Users\Admin\AppData\Local\Temp\6fdf76d5943d5b8175afd87874080117.exe"
  2⤵
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\6fdf76d5943d5b8175afd87874080117.exe
    C:\Users\Admin\AppData\Local\Temp\6fdf76d5943d5b8175afd87874080117.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-22-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1316-26-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2092-17-0x0000000004120000-0x0000000004263000-memory.dmp

Filesize
1.3MB

Download
memory/2092-10-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2092-5-0x0000000000400000-0x00000000005427EA-memory.dmp

Filesize
1.3MB

Download
memory/2092-7-0x0000000003F70000-0x0000000003F72000-memory.dmp

Filesize
8KB

Download
memory/2092-8-0x0000000003F50000-0x0000000003F52000-memory.dmp

Filesize
8KB

Download
memory/2092-12-0x0000000000C60000-0x0000000000C62000-memory.dmp

Filesize
8KB

Download
memory/2092-1-0x0000000000400000-0x00000000005427EA-memory.dmp

Filesize
1.3MB

Download
memory/2092-14-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000000400000-0x00000000005427EA-memory.dmp

Filesize
1.3MB

Download
memory/2092-2-0x0000000000400000-0x00000000005427EA-memory.dmp

Filesize
1.3MB

Download
memory/2092-16-0x0000000000400000-0x00000000005427EA-memory.dmp

Filesize
1.3MB

Download
memory/2940-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-23-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2940-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-15-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2940-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads