e68e2bf34febdbfc2049fcd31a4311a73e634b0001d4e3437f85f305e27b5535

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb55cba6b935784165ec50b618763cb9.exe
Size

1.8MB
MD5

bb55cba6b935784165ec50b618763cb9
SHA1

c49b603b98c2e1c1c52b99d323eb2d3d2b06d249
SHA256

e68e2bf34febdbfc2049fcd31a4311a73e634b0001d4e3437f85f305e27b5535
SHA512

c21bfca818a32e34b57437d5431f793eef491d1ecfac357aa6f950438d4c98487d8375fb36b674faf431928de3bbf70b900953f1f9257ad3559a1d3a7e8090c7
SSDEEP

49152:JOmo6jiO77ylb0vUy3RWBCWRO5ip6xdkohDP:3iO7W9QWrRYipboJ

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Wine	bb55cba6b935784165ec50b618763cb9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2240	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2240	bb55cba6b935784165ec50b618763cb9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2648	2240	bb55cba6b935784165ec50b618763cb9.exe	28
PID 2240 wrote to memory of 2648	2240	bb55cba6b935784165ec50b618763cb9.exe	28
PID 2240 wrote to memory of 2648	2240	bb55cba6b935784165ec50b618763cb9.exe	28
PID 2240 wrote to memory of 2648	2240	bb55cba6b935784165ec50b618763cb9.exe	28

C:\Users\Admin\AppData\Local\Temp\bb55cba6b935784165ec50b618763cb9.exe
"C:\Users\Admin\AppData\Local\Temp\bb55cba6b935784165ec50b618763cb9.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 284
  2⤵
  - Program crash
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-0-0x0000000000400000-0x00000000007A1000-memory.dmp

Filesize
3.6MB

Download
memory/2240-1-0x00000000020F0000-0x000000000226F000-memory.dmp

Filesize
1.5MB

Download
memory/2240-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2240-3-0x0000000000400000-0x00000000007A1000-memory.dmp

Filesize
3.6MB

Download
memory/2240-4-0x0000000000400000-0x00000000007A1000-memory.dmp

Filesize
3.6MB

Download
memory/2240-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download