24d9aaeeffae4dbcdc765cb493ab61e3b178996413bd1d0c238d7b810f142efa

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

859f4e25c421355b01e43bcf1909a2ab.exe
Size

485KB
MD5

859f4e25c421355b01e43bcf1909a2ab
SHA1

682964af85fd3887758ca224f4f5c241d39d8790
SHA256

24d9aaeeffae4dbcdc765cb493ab61e3b178996413bd1d0c238d7b810f142efa
SHA512

f0d40b3ccc6c655c32a11cd3cc925c2c27889ca6bb04e627794ecd4e409ddd733133f98b9206e1e421e6a533e7d8d61e4cdbdaeb36773d699b973cbf607fcafe
SSDEEP

12288:DGADoa45fuKHmOtAwtDZgu49xCEIIKGB28IfkqBxveXUc:y3uKhtDFZguxfkq5c

Score

7^/10

evasion themida

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	winscrne.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine	859f4e25c421355b01e43bcf1909a2ab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine	winscrne.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	859f4e25c421355b01e43bcf1909a2ab.exe
2888	859f4e25c421355b01e43bcf1909a2ab.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2888-1-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/files/0x000a000000013a1a-12.dat	themida
behavioral1/memory/2888-14-0x0000000004690000-0x00000000047DC000-memory.dmp	themida
behavioral1/memory/2888-21-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-23-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-24-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-36-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-37-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-38-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-39-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-40-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-41-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-42-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-43-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-44-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-45-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-46-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-47-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-48-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-49-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-50-0x0000000000400000-0x000000000054C000-memory.dmp	themida
behavioral1/memory/2608-51-0x0000000000400000-0x000000000054C000-memory.dmp	themida

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File opened for modification	C:\Windows\SysWOW64\winscrne.exe	859f4e25c421355b01e43bcf1909a2ab.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe	859f4e25c421355b01e43bcf1909a2ab.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe
File created	C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe	winscrne.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2888	859f4e25c421355b01e43bcf1909a2ab.exe
2608	winscrne.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2608	2888	859f4e25c421355b01e43bcf1909a2ab.exe	28
PID 2888 wrote to memory of 2608	2888	859f4e25c421355b01e43bcf1909a2ab.exe	28
PID 2888 wrote to memory of 2608	2888	859f4e25c421355b01e43bcf1909a2ab.exe	28
PID 2888 wrote to memory of 2608	2888	859f4e25c421355b01e43bcf1909a2ab.exe	28

C:\Users\Admin\AppData\Local\Temp\859f4e25c421355b01e43bcf1909a2ab.exe
"C:\Users\Admin\AppData\Local\Temp\859f4e25c421355b01e43bcf1909a2ab.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\winscrne.exe
  C:\Windows\system32\winscrne.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\winscrne.exe

Filesize
485KB

MD5
859f4e25c421355b01e43bcf1909a2ab

SHA1
682964af85fd3887758ca224f4f5c241d39d8790

SHA256
24d9aaeeffae4dbcdc765cb493ab61e3b178996413bd1d0c238d7b810f142efa

SHA512
f0d40b3ccc6c655c32a11cd3cc925c2c27889ca6bb04e627794ecd4e409ddd733133f98b9206e1e421e6a533e7d8d61e4cdbdaeb36773d699b973cbf607fcafe

Download Submit
memory/2608-27-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/2608-40-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-51-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-50-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-49-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-48-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-47-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-46-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-45-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-44-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-43-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-42-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-41-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-28-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2608-39-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-23-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-32-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/2608-38-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-30-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2608-29-0x00000000040E0000-0x00000000040E2000-memory.dmp

Filesize
8KB

Download
memory/2608-37-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-26-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2608-31-0x0000000004060000-0x0000000004062000-memory.dmp

Filesize
8KB

Download
memory/2608-25-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2608-24-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2608-33-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/2608-35-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/2608-36-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2888-3-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2888-5-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2888-22-0x0000000004690000-0x00000000047DC000-memory.dmp

Filesize
1.3MB

Download
memory/2888-21-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2888-14-0x0000000004690000-0x00000000047DC000-memory.dmp

Filesize
1.3MB

Download
memory/2888-9-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/2888-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2888-1-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2888-13-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/2888-2-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2888-6-0x00000000040E0000-0x00000000040E2000-memory.dmp

Filesize
8KB

Download
memory/2888-7-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2888-8-0x0000000004030000-0x0000000004032000-memory.dmp

Filesize
8KB

Download
memory/2888-10-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download