bd42d3db5c5a13028bcac1958aff1ef3b2c4ba7bb7bb5719f8b521f97dd51a78

General

Target

dfcb6fc752ebeaf4d53f75aea06299c6.exe
Size

1.9MB
MD5

dfcb6fc752ebeaf4d53f75aea06299c6
SHA1

90cdb5c750f47d4d27dff52ffffae17f6fb9de64
SHA256

bd42d3db5c5a13028bcac1958aff1ef3b2c4ba7bb7bb5719f8b521f97dd51a78
SHA512

339b07f849e58e87ea1796b81cd456d725535c09e2dcb2d52a813eb35b2ca2c1ffb3bde651cef5b4b6f66f534fc01a905005c6e0691da5f885738460c7a28c20
SSDEEP

49152:Yoq37gR46arvwL47Os6Cy3bbBumUiA6FxOvIfstcDn:/rRMrvZHnmUN6FxOv0st8n

Score

7^/10

evasion upx

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	dfcb6fc752ebeaf4d53f75aea06299c6.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dfcb6fc752ebeaf4d53f75aea06299c6.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2652-0-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-14-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-29-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-30-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-31-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-32-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-33-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-34-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-35-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-36-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-37-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-38-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-39-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-40-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-41-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-42-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral2/memory/2652-43-0x0000000000400000-0x000000000092E000-memory.dmp	upx

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\FalconBetaAccount	dfcb6fc752ebeaf4d53f75aea06299c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\FalconBetaAccount\remote_access_client_id = "3359481445"	dfcb6fc752ebeaf4d53f75aea06299c6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	dfcb6fc752ebeaf4d53f75aea06299c6.exe
2652	dfcb6fc752ebeaf4d53f75aea06299c6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2652	dfcb6fc752ebeaf4d53f75aea06299c6.exe

C:\Users\Admin\AppData\Local\Temp\dfcb6fc752ebeaf4d53f75aea06299c6.exe
"C:\Users\Admin\AppData\Local\Temp\dfcb6fc752ebeaf4d53f75aea06299c6.exe"
1⤵
- Identifies Wine through registry keys
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.old

Filesize
7KB

MD5
85666e6a0492cb23c41d641f19f5522e

SHA1
04e9d9b1a456fdafa572408269320f8203f003e7

SHA256
85b180c4e9a5b6750044ffa0e3bbd0524a38ac46c30fb8dab41907d288e68de8

SHA512
dc61c96e000ba03a7723aa0736c77427fcb6f60c96ff96850aff4e7c31748ba262bdd501e9690ba675c1b183ad769c45513110af40232c3e0c2c2d8faceb21f3

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

Filesize
170B

MD5
d2823ace28e6c8a98bd9539ae158e882

SHA1
86aa91039b0140c3cc253d3a99d61f0169d521ed

SHA256
1999839c286b493d6ae74a73061e3a35588af5a80e2af43c334ebc206a0b6b62

SHA512
6c4e8fbd04da5211bf43c3d8422c26762c568fbb0dcd331bb4de8af21ef6a4b7ad676b8a0b0825f2e6c906edf755795e96ecffd4ed5381222243b5498c4d716c

Download Submit
memory/2652-33-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-36-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-29-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-30-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-31-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-32-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-0-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-34-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-35-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-14-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-37-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-38-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-39-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-40-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-41-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-42-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-43-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads