39d143403f4bf58c7f1a19b3f26206d896fc6c1fcdcce8951b9d3eefb26a05bd

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RealPlayer 15 Crack/rpxiv_activator.exe
Size

1.2MB
MD5

2d1e99487d499ca8df27ce5c4860e0b2
SHA1

59ea896ea0e2d182d777e33582ff8d28624bc752
SHA256

80014c8bac5a7e22f43ba2c7395f8b7160e1f2b9394e5c01e0091da61261e59a
SHA512

4729e949b7e6f01d97fc6819fa1c589d41b7dce03eaaa33aea362c872fd56880db9be01d8fb334fd1277234783f00458d3ceceddeb0ddeba44c497cf7006619e
SSDEEP

24576:Jr1IrN48I3e+TZfqa5PmyWoGl/ORRSUQpy+t4avpveJdcXc4DYEsUS9oe:pmN4dFZia5GpKwRxvkdp4Rq

Score

7^/10

evasion themida

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	rpxiv_activator.exe

Loads dropped DLL 1 IoCs

pid	Process
1656	rpxiv_activator.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1656-0-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-1-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-35-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-37-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-39-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-41-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-43-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-45-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-47-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-49-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-51-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-53-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-55-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-57-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-59-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-61-0x0000000000400000-0x00000000006B9000-memory.dmp	themida
behavioral1/memory/1656-63-0x0000000000400000-0x00000000006B9000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1656	rpxiv_activator.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1656	rpxiv_activator.exe

C:\Users\Admin\AppData\Local\Temp\RealPlayer 15 Crack\rpxiv_activator.exe
"C:\Users\Admin\AppData\Local\Temp\RealPlayer 15 Crack\rpxiv_activator.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/1656-0-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-1-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-3-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/1656-7-0x00000000041F0000-0x00000000041F2000-memory.dmp

Filesize
8KB

Download
memory/1656-8-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1656-6-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/1656-9-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/1656-10-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/1656-11-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1656-12-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1656-13-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1656-15-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1656-16-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1656-14-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/1656-17-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1656-18-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1656-19-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1656-20-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1656-21-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1656-32-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1656-31-0x0000000004400000-0x0000000004402000-memory.dmp

Filesize
8KB

Download
memory/1656-30-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1656-29-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1656-28-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/1656-27-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1656-26-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/1656-25-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/1656-24-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1656-23-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1656-33-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/1656-22-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1656-34-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-35-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-36-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-37-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-38-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-39-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-40-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-41-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-42-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-43-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-44-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-45-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-46-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-47-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-48-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-49-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-50-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-51-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-52-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-53-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-54-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-55-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-56-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-57-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-58-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-59-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-60-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-61-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-62-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-63-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/1656-64-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download