Analysis Overview
SHA256
33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd
Threat Level: Shows suspicious behavior
The file 33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
UPX packed file
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-07 16:52
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 16:52
Reported
2024-06-07 16:55
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd.exe
"C:\Users\Admin\AppData\Local\Temp\33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.163.47.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/2740-0-0x0000000000110000-0x00000000001B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/2740-14-0x0000000000110000-0x00000000001B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 16:52
Reported
2024-06-07 16:55
Platform
win11-20240426-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd.exe
"C:\Users\Admin\AppData\Local\Temp\33b389b3d1b587538cc83e3d9cc51238cb69abd31407162bbfbb74c403543fbd.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
Files
memory/3056-0-0x0000000000590000-0x0000000000630000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/3056-14-0x0000000000590000-0x0000000000630000-memory.dmp