Overview

overview

7

Static

static

7

bd143b10dc...0c.exe

windows7-x64

7

bd143b10dc...0c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd143b10dcdb8a615146d4d21fd49d0c.exe

  • Size

    599KB

  • MD5

    bd143b10dcdb8a615146d4d21fd49d0c

  • SHA1

    6c68b47f039e6184dfa21160dc58c6c25d102526

  • SHA256

    e30c972e20df918746c1f082e594a3b70b03b438579f649a1d8291d51992fcd4

  • SHA512

    fa95ef88f8ee8d6c83521672fc71f0e950259da718157c416c637dd968438d79698ecd1c97da9c8b1526dd8ca8129862856ce3a060ff5007b2e63cf8fc4eaa63

  • SSDEEP

    12288:TB5UB5H29gx/rvrTTHnQ2ggA8XOD8dwFssCifeu+HG+v:TBOHL/TTHnEg7XOD8ksspeus

Score
7/10
evasionthemida

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd143b10dcdb8a615146d4d21fd49d0c.exe
    "C:\Users\Admin\AppData\Local\Temp\bd143b10dcdb8a615146d4d21fd49d0c.exe"
    1⤵
    • Identifies Wine through registry keys
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • \??\c:\users\admin\appdata\local\temp\bd143b10dcdb8a615146d4d21fd49d0c.exe
      c:\users\admin\appdata\local\temp\bd143b10dcdb8a615146d4d21fd49d0c.exe
      2⤵
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2208-9-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-10-0x0000000003E00000-0x0000000003E02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2208-3-0x0000000003F70000-0x0000000003F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-4-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-5-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-6-0x0000000003E10000-0x0000000003E11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-7-0x0000000003E20000-0x0000000003E21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-8-0x0000000003F90000-0x0000000003F91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2208-2-0x0000000015110000-0x0000000015267000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2208-0-0x0000000015110000-0x0000000015267000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2548-14-0x0000000015110000-0x0000000015267000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2600-11-0x0000000015110000-0x0000000015267000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2600-12-0x0000000015110000-0x0000000015267000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2600-13-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-16-0x00000000004D0000-0x00000000004D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-18-0x0000000001D30000-0x0000000001D31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-20-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

      Filesize

      4KB

      Download