Overview

overview

7

Static

static

3

33ea194cbd...4d.exe

windows7-x64

7

33ea194cbd...4d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 03:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    33ea194cbd6e09cae3e5a5f7012b8a20372519bb368aa90d789b8dc7a52f404d.exe

  • Size

    197KB

  • MD5

    ac3e41e023c84e6f958ebae4b2769c57

  • SHA1

    4b9e52a73e356304db48f778d27e188d07ba52e8

  • SHA256

    33ea194cbd6e09cae3e5a5f7012b8a20372519bb368aa90d789b8dc7a52f404d

  • SHA512

    10fa96c9a9cf3831b3b2657860ee424da011aa119f4c44c48596e078462da1f30fdfff21d19bd9132dec5ebe8cab53ca7fe9e360fc25147541cd63f7bc50a1d8

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOK:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33ea194cbd6e09cae3e5a5f7012b8a20372519bb368aa90d789b8dc7a52f404d.exe
    "C:\Users\Admin\AppData\Local\Temp\33ea194cbd6e09cae3e5a5f7012b8a20372519bb368aa90d789b8dc7a52f404d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\33EA19~1.EXE > nul
      2⤵
        PID:3604
    • C:\Windows\Debug\zewhost.exe
      C:\Windows\Debug\zewhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:400
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3400 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3428

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\debug\zewhost.exe
              Filesize

              197KB

              MD5

              d472585fe2a1875e3599eeed7e3c11bf

              SHA1

              5acd9a326ac908ab0a19ab1bab772bd1b47ceefb

              SHA256

              9ecf53df52d92bdd471ca4552759557da104b3813f661390efc10bb07964d1f1

              SHA512

              0f7bf308e4212edacc2a587cd1f4ebbd3f40c03d60a7e7f63379039be1791ec32f3f9a35aea40a73d95ff0ae879b2166ce025c24323388c3190e3f2245eefe72

              Download Submit