Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
Resource
win10v2004-20240426-en
General
-
Target
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
-
Size
10.3MB
-
MD5
e3abe904593a215b4dae43cdfd2b0d7e
-
SHA1
a24443eb26a99aed2cabb5285789dea8e51eb235
-
SHA256
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee
-
SHA512
0640b99cb3996685415fa5673ca087e32d598a8e66f0f87d84497e739730681e1a52811a8a72b7f98718ee55fbb72b2dd6c1b41dce5fb726f8ddd67d60dda617
-
SSDEEP
196608:46F/8qYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO37w7:TF/8qD4F3e+biSDcQwM8uDuN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe -
Executes dropped EXE 2 IoCs
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exearia2c.exepid process 4004 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe 448 aria2c.exe -
Loads dropped DLL 1 IoCs
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exepid process 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe upx behavioral2/memory/4004-6-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2904 4004 WerFault.exe 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exepid process 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exepid process 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exepid process 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exedescription pid process target process PID 1456 wrote to memory of 4004 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe PID 1456 wrote to memory of 4004 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe PID 1456 wrote to memory of 4004 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe PID 1456 wrote to memory of 448 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe aria2c.exe PID 1456 wrote to memory of 448 1456 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe aria2c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe"C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exeC:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe2⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 2723⤵
- Program crash
PID:2904 -
C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe"C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=14562⤵
- Executes dropped EXE
PID:448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 40041⤵PID:4484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exeFilesize
105KB
MD5dfb5daabb95dcfad1a5faf9ab1437076
SHA14a199569a9b52911bee7fb19ab80570cc5ff9ed1
SHA25654282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0
SHA5125d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8
-
C:\Users\Admin\AppData\Roaming\datatemp\aria2.confFilesize
55KB
MD54a1b71ede6ff12456038f6a26e356a42
SHA116af6552ebbeb0300d1451715add745e840ff993
SHA2560ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee
SHA512bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501
-
C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exeFilesize
4.8MB
MD5a5c047f169471bd325552c255d6c04af
SHA1e313cff2f3d668ec5d0e90920bd622b0f38aed9d
SHA256cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a
SHA5126cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d
-
C:\Users\Admin\AppData\Roaming\datatemp\libcurl.dllFilesize
2.5MB
MD5298f5812023bab65ee23d13ee9489a6e
SHA171e9d7f205e5e7af6907c539c77a3aeea971692f
SHA256fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e
SHA512217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd
-
memory/448-36-0x0000000000400000-0x00000000008CE000-memory.dmpFilesize
4.8MB
-
memory/448-38-0x0000000000400000-0x00000000008CE000-memory.dmpFilesize
4.8MB
-
memory/1456-4-0x0000000000400000-0x0000000000E92000-memory.dmpFilesize
10.6MB
-
memory/1456-37-0x0000000000400000-0x0000000000E92000-memory.dmpFilesize
10.6MB
-
memory/4004-6-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4004-5-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB