4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee

General

Target

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
Size

10.3MB
MD5

e3abe904593a215b4dae43cdfd2b0d7e
SHA1

a24443eb26a99aed2cabb5285789dea8e51eb235
SHA256

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee
SHA512

0640b99cb3996685415fa5673ca087e32d598a8e66f0f87d84497e739730681e1a52811a8a72b7f98718ee55fbb72b2dd6c1b41dce5fb726f8ddd67d60dda617
SSDEEP

196608:46F/8qYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO37w7:TF/8qD4F3e+biSDcQwM8uDuN

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Executes dropped EXE 2 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exearia2c.exe

pid process

4004 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
448 aria2c.exe
Loads dropped DLL 1 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid process

1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
4004	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
448	aria2c.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	upx
behavioral2/memory/4004-6-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2904 4004 WerFault.exe 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

pid	pid_target	process	target process
2904	4004	WerFault.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

description	pid	process	target process
PID 1456 wrote to memory of 4004	1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 1456 wrote to memory of 4004	1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 1456 wrote to memory of 4004	1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 1456 wrote to memory of 448	1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 1456 wrote to memory of 448	1456	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
"C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 272
3⤵
- Program crash
PID:2904

C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
"C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=1456
2⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 4004
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf
Filesize
55KB

MD5
4a1b71ede6ff12456038f6a26e356a42

SHA1
16af6552ebbeb0300d1451715add745e840ff993

SHA256
0ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee

SHA512
bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
Filesize
4.8MB

MD5
a5c047f169471bd325552c255d6c04af

SHA1
e313cff2f3d668ec5d0e90920bd622b0f38aed9d

SHA256
cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a

SHA512
6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\libcurl.dll
Filesize
2.5MB

MD5
298f5812023bab65ee23d13ee9489a6e

SHA1
71e9d7f205e5e7af6907c539c77a3aeea971692f

SHA256
fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e

SHA512
217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

Download Submit
memory/448-36-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/448-38-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/1456-4-0x0000000000400000-0x0000000000E92000-memory.dmp

Filesize
10.6MB

Download
memory/1456-37-0x0000000000400000-0x0000000000E92000-memory.dmp

Filesize
10.6MB

Download
memory/4004-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4004-5-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads