ac7dc2d80acf1c4ddc891347bac2b63dd894ca7ad400ec53ba64cc2c958733e7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gHack-New [20.02.2018] (1)/gHack-New [20.02.2018].exe
Size

2.9MB
MD5

8dc26f22c8817802dd719355a61231a8
SHA1

f14cb22b25a2e2bdb50633c143a8ec449e4ad0f7
SHA256

ae942b51b7bc6f5d6f81fcab9c905829e89f6942ae2093b8fd864112ce9238a2
SHA512

df60734679f3a8382309350b91c87c91cab5417f0216e6ee5452e6c19c6b3fa6c59692bb41e81d223e4c1f500eb82741be6ec922a82cf819ecdc4e6b2b45560f
SSDEEP

24576:DiKf6YbusWzi0sBeC2OkmNj+l4wW8YD3m5LWZMkY8Avrb2vcO4z1Pq3+AvIZ:uHYbulTs4C2OPcW/ATyvcO4z1Pq3+AQZ

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	gHack-New [20.02.2018].exe
Key opened	\REGISTRY\MACHINE\Software\Wine	gHack-New [20.02.2018].exe
Key opened	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine	gHack-New [20.02.2018].exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2700	3716	WerFault.exe	83
2872	3716	WerFault.exe	83
4060	3716	WerFault.exe	83
1080	3716	WerFault.exe	83
3704	3716	WerFault.exe	83
4688	3716	WerFault.exe	83
1344	3716	WerFault.exe	83
1520	3716	WerFault.exe	83
1036	3716	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3716	gHack-New [20.02.2018].exe
3716	gHack-New [20.02.2018].exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3716	gHack-New [20.02.2018].exe
3716	gHack-New [20.02.2018].exe

C:\Users\Admin\AppData\Local\Temp\gHack-New [20.02.2018] (1)\gHack-New [20.02.2018].exe
"C:\Users\Admin\AppData\Local\Temp\gHack-New [20.02.2018] (1)\gHack-New [20.02.2018].exe"
1⤵
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 884
  2⤵
  - Program crash
  PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 904
  2⤵
  - Program crash
  PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 884
  2⤵
  - Program crash
  PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 940
  2⤵
  - Program crash
  PID:1080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1188
  2⤵
  - Program crash
  PID:3704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1272
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1384
  2⤵
  - Program crash
  PID:1344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 964
  2⤵
  - Program crash
  PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1696
  2⤵
  - Program crash
  PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3716 -ip 3716
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3716 -ip 3716
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3716 -ip 3716
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3716 -ip 3716
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3716 -ip 3716
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3716 -ip 3716
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3716 -ip 3716
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3716 -ip 3716
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3716 -ip 3716
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3716-0-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3716-1-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3716-2-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3716-4-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3716-5-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3716-9-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3716-11-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3716-12-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3716-16-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download