e1932ca9b4d6f226f95134d049c84d4cfd6b9f5a1be3aba0337ca65611e919d3

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

972282f0317f60e7e633db78ba110902.exe
Size

1.6MB
MD5

972282f0317f60e7e633db78ba110902
SHA1

34e3ecd3f940795bd90a17f61490cdaf86a2b1e4
SHA256

e1932ca9b4d6f226f95134d049c84d4cfd6b9f5a1be3aba0337ca65611e919d3
SHA512

de515b80f834aef003b51ba451af8265582e4717052beccff7edbad856bf7ca7f02323a180885628dc6d29c89987079a68d3b27b818d7292002c4ba13746575d
SSDEEP

49152:WZh/1Qgp3ddF8VAF6E0VYXai5/ermOR8qPuV:iL5F8VG6TVYqYe6OR8q+

Score

8^/10

evasion persistence themida

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\svchost.dll"	972282f0317f60e7e633db78ba110902.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	972282f0317f60e7e633db78ba110902.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1896-0-0x0000000000400000-0x0000000000737000-memory.dmp	themida
behavioral1/memory/1896-3-0x0000000000400000-0x0000000000737000-memory.dmp	themida
behavioral1/memory/1896-22-0x0000000000400000-0x0000000000737000-memory.dmp	themida

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.dll	972282f0317f60e7e633db78ba110902.exe
File opened for modification	C:\Windows\svchost.dll	972282f0317f60e7e633db78ba110902.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1896	972282f0317f60e7e633db78ba110902.exe

C:\Users\Admin\AppData\Local\Temp\972282f0317f60e7e633db78ba110902.exe
"C:\Users\Admin\AppData\Local\Temp\972282f0317f60e7e633db78ba110902.exe"
1⤵
- Sets DLL path for service in the registry
- Identifies Wine through registry keys
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1896-1-0x0000000001EE0000-0x0000000001FD4000-memory.dmp

Filesize
976KB

Download
memory/1896-0-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/1896-3-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/1896-18-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1896-19-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1896-17-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1896-16-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1896-15-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/1896-14-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/1896-13-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/1896-12-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/1896-11-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/1896-10-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/1896-9-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/1896-8-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/1896-7-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1896-6-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/1896-5-0x00000000043B0000-0x00000000043B2000-memory.dmp

Filesize
8KB

Download
memory/1896-4-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1896-22-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download