179e5def6f5a2f730da007ec993800c6a7fd29f16c66f98275701006e49946f7

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe
Size

4.2MB
MD5

ab9b70ac3e4e75ad4e5f7fe4d1e22e08
SHA1

f5834275ba276bdd0b1069d6cea9ac805a79e1e1
SHA256

179e5def6f5a2f730da007ec993800c6a7fd29f16c66f98275701006e49946f7
SHA512

cc97264d01d0b6f4acee5745f40f0c0795d8b28b36cca853236cd63ebb5f957aa16b9faad88b856095580fdeb9608ba449aff77aaf2f646461693090b1d71c0e
SSDEEP

98304:teU7/LbaWFdAEGrk9fSlchJOSKrmWrIUnjp7Cjr70xeH:t/baWHHGrk9fSlcbOSKrmdUnjp80xe

Score

7^/10

evasion persistence themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine	ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2492-0-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-3-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-32-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-33-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-35-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-40-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-41-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-42-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-43-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-44-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-45-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-46-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-47-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-48-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-49-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-50-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida
behavioral1/memory/2492-51-0x0000000000400000-0x0000000001A2F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wapp = "C:\\Arquivos de programas\\Wapp.exe"	ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2492	ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2492	ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe

C:\Users\Admin\AppData\Local\Temp\ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe
"C:\Users\Admin\AppData\Local\Temp\ab9b70ac3e4e75ad4e5f7fe4d1e22e08.exe"
1⤵
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-1-0x0000000000300000-0x00000000003EA000-memory.dmp

Filesize
936KB

Download
memory/2492-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2492-3-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-4-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/2492-6-0x00000000068E0000-0x00000000068E2000-memory.dmp

Filesize
8KB

Download
memory/2492-5-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/2492-7-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/2492-8-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/2492-9-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/2492-13-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/2492-12-0x00000000069D0000-0x00000000069D2000-memory.dmp

Filesize
8KB

Download
memory/2492-14-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/2492-15-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/2492-18-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/2492-19-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/2492-17-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/2492-16-0x00000000069B0000-0x00000000069B2000-memory.dmp

Filesize
8KB

Download
memory/2492-11-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/2492-22-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/2492-21-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/2492-23-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

Filesize
4KB

Download
memory/2492-20-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/2492-24-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/2492-26-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/2492-27-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/2492-25-0x0000000006CD0000-0x0000000006CD2000-memory.dmp

Filesize
8KB

Download
memory/2492-10-0x00000000069A0000-0x00000000069A2000-memory.dmp

Filesize
8KB

Download
memory/2492-28-0x0000000006970000-0x0000000006971000-memory.dmp

Filesize
4KB

Download
memory/2492-29-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/2492-30-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/2492-31-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/2492-32-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-33-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2492-35-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-36-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/2492-37-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/2492-38-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/2492-39-0x0000000006C00000-0x0000000006C02000-memory.dmp

Filesize
8KB

Download
memory/2492-40-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-41-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-42-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-43-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-44-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-45-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-46-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-47-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-48-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-49-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-50-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/2492-51-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download