5bfab23aa8655fda15f07e294e61e40a03cbba08b9341fd246110a426dbb1ea6

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 11:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c06f8e06b571d480c80e6df87cda2b1b.exe
Size

2.6MB
MD5

c06f8e06b571d480c80e6df87cda2b1b
SHA1

e9654617e3871194391ecddbb1411e662e1fe061
SHA256

5bfab23aa8655fda15f07e294e61e40a03cbba08b9341fd246110a426dbb1ea6
SHA512

4c43d52d2211a3328cda59f20e05d35149dec8cfb67f61bac5fe31657d5b135929cb4c063637efaf622f510dfddcbc4941c0c269360e95bc380a6c60258c2aa3
SSDEEP

49152:IWqF9cdbC6MQoYz2iMVZKJFkAFY3QiWEtb4QH2AsSx7co0q33+:sF9++Tw2iywoQirtb4QH2AYq33+

Score

7^/10

evasion themida

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2532	rinst.exe
2564	AirDropInject.exe
1472	aw.exe
2704	awr.exe
2012	uninst.tmp

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine	aw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine	awr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine	uninst.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine	rinst.exe

Loads dropped DLL 6 IoCs

pid	Process
1920	c06f8e06b571d480c80e6df87cda2b1b.exe
2532	rinst.exe
2532	rinst.exe
1472	aw.exe
1472	aw.exe
2704	awr.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000018b4b-15.dat	themida
behavioral1/memory/2532-20-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/2532-23-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/files/0x0006000000018b5b-41.dat	themida
behavioral1/memory/2532-44-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/1472-48-0x0000000000400000-0x00000000005D4000-memory.dmp	themida
behavioral1/memory/1472-50-0x0000000000400000-0x00000000005D4000-memory.dmp	themida
behavioral1/files/0x0006000000018b5b-51.dat	themida
behavioral1/files/0x0006000000018b77-53.dat	themida
behavioral1/memory/1472-64-0x0000000010000000-0x000000001011A000-memory.dmp	themida
behavioral1/memory/2704-62-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/1472-68-0x0000000000400000-0x00000000005D4000-memory.dmp	themida
behavioral1/memory/2704-69-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/2704-74-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/1472-80-0x0000000000400000-0x00000000005D4000-memory.dmp	themida
behavioral1/memory/2012-81-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/2012-87-0x0000000000400000-0x000000000052B000-memory.dmp	themida
behavioral1/memory/2012-89-0x0000000000400000-0x000000000052B000-memory.dmp	themida

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Accessibility\Blind Access\On = "0"	aw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1472	aw.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1472	aw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1472	aw.exe
1472	aw.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2532	1920	c06f8e06b571d480c80e6df87cda2b1b.exe	28
PID 1920 wrote to memory of 2532	1920	c06f8e06b571d480c80e6df87cda2b1b.exe	28
PID 1920 wrote to memory of 2532	1920	c06f8e06b571d480c80e6df87cda2b1b.exe	28
PID 1920 wrote to memory of 2532	1920	c06f8e06b571d480c80e6df87cda2b1b.exe	28
PID 2532 wrote to memory of 2564	2532	rinst.exe	29
PID 2532 wrote to memory of 2564	2532	rinst.exe	29
PID 2532 wrote to memory of 2564	2532	rinst.exe	29
PID 2532 wrote to memory of 2564	2532	rinst.exe	29
PID 2532 wrote to memory of 1472	2532	rinst.exe	30
PID 2532 wrote to memory of 1472	2532	rinst.exe	30
PID 2532 wrote to memory of 1472	2532	rinst.exe	30
PID 2532 wrote to memory of 1472	2532	rinst.exe	30
PID 1472 wrote to memory of 2704	1472	aw.exe	31
PID 1472 wrote to memory of 2704	1472	aw.exe	31
PID 1472 wrote to memory of 2704	1472	aw.exe	31
PID 1472 wrote to memory of 2704	1472	aw.exe	31
PID 2704 wrote to memory of 2012	2704	awr.exe	32
PID 2704 wrote to memory of 2012	2704	awr.exe	32
PID 2704 wrote to memory of 2012	2704	awr.exe	32
PID 2704 wrote to memory of 2012	2704	awr.exe	32
PID 2704 wrote to memory of 2012	2704	awr.exe	32
PID 2704 wrote to memory of 2012	2704	awr.exe	32
PID 2704 wrote to memory of 2012	2704	awr.exe	32

C:\Users\Admin\AppData\Local\Temp\c06f8e06b571d480c80e6df87cda2b1b.exe
"C:\Users\Admin\AppData\Local\Temp\c06f8e06b571d480c80e6df87cda2b1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\AirDropInject.exe
    "C:\Users\Admin\AppData\Local\Temp\AirDropInject.exe"
    3⤵
    - Executes dropped EXE
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\pk\aw.exe
    C:\Users\Admin\AppData\Local\Temp\pk\aw.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Modifies Control Panel
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\pk\awr.exe
      C:\Users\Admin\AppData\Local\Temp\pk\awr.exe u
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\uninst.tmp
        
        C:\Users\Admin\AppData\Local\Temp\uninst.tmp u2
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AirDropInject.exe

Filesize
828KB

MD5
bf45bee1057e719d76b5496390dc9de6

SHA1
3329837e70687a23dee80824c9093716ce819edb

SHA256
9b5e77164e6a7809c6f80a73c0ead37dc882deab424dd408a75da22495b3ed1f

SHA512
ac80087726098efa3b8fac0d5f262f752167a01046035566ddaa82a4aaae0af641fb3375e561a22734f34d6af65c4e519f917c673209e162ab95b27a86429c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\aw.exe

Filesize
831KB

MD5
1aa86c490e4cd6129e46cea5a2eed6ee

SHA1
c47c3409d0f5a42e9251d6e4f1df1af3ad1604ab

SHA256
d8ae8d163e7f13efded7776f1bb8da2cbdb0d6a98be49be3f1160899d974e890

SHA512
58926c05a2c6f99d158e619b852772fe8b7b8ab741f73c50842f965c2ed85556c50593e3ca2ad21eb5a97128f11e5fc0ac5d8fe55943a1fc44d83e8785363d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\awhk.dll

Filesize
514KB

MD5
3159e47106badb5e371bf47c817798a3

SHA1
21604a71e407e0a35bad44860557767e34307a9a

SHA256
de1ca752388daef62569292bbae5285d996aeea5a2a4740b56ec70266672c5e5

SHA512
633cbbf61909ae7109e17a396c758cfeb25528ce381bc5778ec86c26e5f7b7698097c984d34e56c4cc6a87e8d2740a9df676f69b536b0c3db8122105e7ed27f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\awwb.dll

Filesize
482KB

MD5
92f9c5a509dadd8d0d3c12fbdf568d80

SHA1
ad3a3cfdcfc57f2f19f4ee4c2f7a062a380eac1f

SHA256
c8ae65d6e0e4f5cd2582c5a27713a33ee3715bbeb3ee011012b49a3354d1898d

SHA512
03b4c81cb5d3eb81af3dfa1004d4983fdfe07c03fe45bd5d8ac8d27de0bf13a50b6f880245b8ad43a9dd39a0d1146fcf5a8650954328809c5da7780547833754

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
d2c1da1befeca59d0fe0d2232b74d5e5

SHA1
0e94cac297eb55155d2d5c8c757a1456516a8cf4

SHA256
a8fd43324236681680bf04eec633da377383646b1404c97bb430f152d5c0815c

SHA512
a5d13c30085cae9243a07b704498f81d80e34518b1d4f7b110c723381bec84501112b5aabcc268e434591e74dc65d7f4c0616d1e577a426a7beee60af6f460c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
9KB

MD5
b8af1857fe91d5d871e6e49cdef10662

SHA1
51b8f9c70c915bba4d13851eafea94a5ea546a77

SHA256
d7010539eea80890b916320907377bbb0f4b830b7efdfbba569ba114b6989800

SHA512
2c6ef98f6ae8786abf11ba023c11a774501b05add9997a06e992e5d6325c845be05e957beecebd66ce6372b929ba0a0f7bdc9bd509c6cf6973f74df20ff1b235

Download Submit
C:\Users\Admin\AppData\Local\Temp\pk\aw.exe

Filesize
687KB

MD5
70a0d5623d40916fee03b11b2c0dd031

SHA1
41ce15d6ec49c03d02eceaaeec145b85ec5e0a50

SHA256
044bcb1a6080094bb916b89ff82e33d5481087eb1b140188db638332e367104c

SHA512
9fd0f1d6dd98b50550fd1452c3b0e48ed1b1a4ddd0ea633b4d3a93fe2fa2dad625534fe7ff9bf9a754ddc0ba5a35cd2a6f74c37c53490f3f9cc99e4411438a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\pk\awhk.dll

Filesize
514KB

MD5
685ce717784933dcc61614c3eca8c068

SHA1
6c14586f9f886f77973d9bde93589bdcdc29290a

SHA256
f1cd266559a3864771c13e9973212f3c5bc7eab5c1b32762814fffff24aad95b

SHA512
9e5864e8a92784ba98b51648e46eaee61d21049f6b796478507a1a3ce14a9d23afc0bb959dd8ba05ec2dcc7e930f68191e96ec8f87c7bb79d81382940613811f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pk\awwb.dll

Filesize
482KB

MD5
fbe0ea86e553589f0761d979bccdf359

SHA1
fa592e7178d38adcb25a7c0216987ccdba9c9a01

SHA256
836ab30aac2dc0727b0407df8b7187deacae1e469b682453312392c2ab4a9f17

SHA512
d2e1a2e6fd6d7987649946a4687fa2e8cf8d87b89b881cee49b9fdf162430bb06728bc0f3fd343d9045476ee8ff24070c43edade1c1af9649d78c94a7c6b5cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pk\pk.bin

Filesize
9KB

MD5
c0095d5dae3422bc307ae5dcd676bdbd

SHA1
f409ab4bf88f662a575d66e9b284aff8da11fef8

SHA256
c1caa55ed84667f0adf2ea52d0e3a73d34c482ea3fdbafdff88959ecda1e811f

SHA512
c6f10e8f9672fa251a41f0f0da4ea340573b64683f691aa1df73c791138018d0190f0126322f4a11173b662f5d7ac71a5b11eeaf3804973b978ddb783ccb7d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pk\pk.bin

Filesize
9KB

MD5
ff894731715452cd85449d7147edef45

SHA1
0daaa18efaf39e5dbd93da235e4d6416aedd6fc9

SHA256
53cc3f2bc95ad9024cf3377b52980518853cf2adc7bfb17f0129ab784fedcd0f

SHA512
1bf2c3e730760b603b60d1e561dc95a67ffb2cd11a7786e0ca79402c80aa73117571d171bb7b1490fbe161fa79e04e9c7083345d794b625801a52f482fd5c678

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
511KB

MD5
e436b13f39bd4a91416729d975f2d79e

SHA1
896536accf0e14080b3cf63dea816ec8f6b50c10

SHA256
8b0dd069a03d1039f106878c4f8eec508d84ba98811fdcb4425beb38a1452a77

SHA512
1fb796e3d64824284f15338e45f3d6bd5a1253359a8411d7a493a96de80af2b788d823411868bfaa16a5052b47e061010843341225124858904f80a01d43f491

Download Submit
\Users\Admin\AppData\Local\Temp\pk\aw.exe

Filesize
831KB

MD5
c247cf657963dc3d2b369f96e460c1e6

SHA1
678c65bf7d35c738428bd3118b13993c1706017a

SHA256
69a89f3d50a6942bf7fede5014122054ecbfee64cd7a8998cdc35bca432c793e

SHA512
0a89c051545c20ce961c2b21daee85ba54f400afe208a3ca924e1566fa679d2d70efd9ddd955f36885c8d18131dfa3191ad9434b7f808c9b2547b331cc303887

Download Submit
memory/1472-80-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1472-68-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1472-64-0x0000000010000000-0x000000001011A000-memory.dmp

Filesize
1.1MB

Download
memory/1472-48-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1472-50-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1920-66-0x0000000002E60000-0x0000000002F8B000-memory.dmp

Filesize
1.2MB

Download
memory/1920-91-0x0000000002E60000-0x0000000002EBD000-memory.dmp

Filesize
372KB

Download
memory/1920-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1920-18-0x0000000002E60000-0x0000000002F8B000-memory.dmp

Filesize
1.2MB

Download
memory/2012-81-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2012-89-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2012-87-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2532-44-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2532-20-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2532-23-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2564-86-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-47-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2564-70-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2564-82-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-83-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2564-84-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2564-93-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2564-92-0x00000000020B0000-0x0000000002130000-memory.dmp

Filesize
512KB

Download
memory/2564-46-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-49-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-76-0x0000000003FE0000-0x000000000410B000-memory.dmp

Filesize
1.2MB

Download
memory/2704-62-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2704-74-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2704-69-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads