Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:18
Behavioral task
behavioral1
Sample
Device/HarddiskVolume5/USERS/Administrator/AppData/Local/Temp/HYDF2AB.tmp.1644086939_permissionsCopy/updates/3.5.5_46010.exe
Resource
win7-20240508-en
General
-
Target
Device/HarddiskVolume5/USERS/Administrator/AppData/Local/Temp/HYDF2AB.tmp.1644086939_permissionsCopy/updates/3.5.5_46010.exe
-
Size
2.0MB
-
MD5
3dffcaaffa5b777a02aa531f5bad41e7
-
SHA1
70afb27f75f612710181e0069a1d59690e1528db
-
SHA256
e30d28b6fe4eea1e4d7390897897f6beecb5c805bba810c5b1119e48272947f6
-
SHA512
5bb726fbc57b6b831084d6f58c949a878df2ea39fff9c2bd0df209bebad90c98a4cfb2290b89440313641f51c9fdfa171fe05f58599f839629bac17cb2faa299
-
SSDEEP
24576:Gebxzp1tSXaXpzKCIUSKZl7fBlX9mlln2OCehr/kYoFlUo5SEFW31alR1AEdxWmU:xbf10asOltltckTe96m3ETxW21nuxC
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3.5.5_46010.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Wine 3.5.5_46010.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 3.5.5_46010.exe -
Processes:
resource yara_rule behavioral1/memory/2244-0-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-13-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-21-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-28-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-29-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-30-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-31-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-33-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-34-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-35-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-36-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-37-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-39-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-40-0x0000000000400000-0x000000000097A000-memory.dmp upx behavioral1/memory/2244-41-0x0000000000400000-0x000000000097A000-memory.dmp upx -
Modifies registry class 2 IoCs
Processes:
3.5.5_46010.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\FalconBetaAccount 3.5.5_46010.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\FalconBetaAccount\remote_access_client_id = "0228076930" 3.5.5_46010.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3.5.5_46010.exepid process 2244 3.5.5_46010.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3.5.5_46010.exepid process 2244 3.5.5_46010.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3.5.5_46010.exedescription pid process Token: SeManageVolumePrivilege 2244 3.5.5_46010.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\USERS\Administrator\AppData\Local\Temp\HYDF2AB.tmp.1644086939_permissionsCopy\updates\3.5.5_46010.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume5\USERS\Administrator\AppData\Local\Temp\HYDF2AB.tmp.1644086939_permissionsCopy\updates\3.5.5_46010.exe"1⤵
- Identifies Wine through registry keys
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat.oldFilesize
7KB
MD593021999cb37ca7b62d82fe050fa4a96
SHA163287e208983516f2a696b4532bb39bac128a36d
SHA2569d72c7313a81faf516209dc705ed364402f45d0849c57414f9c39c576584b6e0
SHA5122906d03e36303515b721c9d6e5c17cfa30130a2abee1ec5b7022eb2ce923d3dd389cb2a5d7c53374275abe15a652f0d2d472d9251799e452c4d4b2de6b07e8f4
-
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.newFilesize
231B
MD51cda5503e74f672c3affe109b6bde393
SHA1514283a5b5cf53c218ce4d53b1a8d38d4f2a9667
SHA256ffe5bcba6dac90958524e5b4ba06e0a03707a46cbf7d92af505ca77a61dc8967
SHA512fa5f127bfb79564a4f37dbf4fdf4a044b916d12caebbcce1347901467dfd89bc06c07a754fcc4354db5fd0c2246c313b30a9542fb2aadebcc3cd2d8d4ef67066
-
memory/2244-31-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-33-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-13-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-28-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-29-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-30-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-0-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-21-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-34-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-35-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-36-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-37-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-39-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-40-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB
-
memory/2244-41-0x0000000000400000-0x000000000097A000-memory.dmpFilesize
5.5MB