33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe
Size

59KB
MD5

253c4a668a00601f1e54600737be7306
SHA1

2388122264c2924225932252d25e34309142e96b
SHA256

33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663
SHA512

ca7df11c170ec767cd6e51730e789b8d204482d6dfd371e200b1dcd158f073c28e3701b42d254c3af688fda2e2cf44fbfd363a6c2e564a2a60e3ee304be3a59f
SSDEEP

1536:kP18t0GqC4sZwE/oDOJshnZv4hz3o5NcUoo8Y1A2oFPDLb:q1a0GqCZwEwOJsBN4h7oDcUF8Y1AV

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4492	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe

Executes dropped EXE 1 IoCs

pid	Process
4492	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4804-0-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/files/0x0009000000023651-11.dat	upx
behavioral2/memory/4492-13-0x0000000000400000-0x000000000043D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4804	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4804	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe
4492	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4492	4804	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe	94
PID 4804 wrote to memory of 4492	4804	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe	94
PID 4804 wrote to memory of 4492	4804	33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe	94

C:\Users\Admin\AppData\Local\Temp\33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe
"C:\Users\Admin\AppData\Local\Temp\33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe
  C:\Users\Admin\AppData\Local\Temp\33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1308,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33bb836ec6980d44374b8258cf385c5c98dad324be31bd4b281494386974f663.exe

Filesize
59KB

MD5
aa5ee6abcabe739891d69b4b1c251c40

SHA1
0417091c14e9c9dded9d644a8573bae8083db243

SHA256
999f3c702f96322ff0abb5f66dfd2422506f49d1d4aa9875880ef0c661e06603

SHA512
61170d44c1a4d2167d08a7b0d43f50f3ecea7db272a6f42dd0b05de777ad6b3cd953689d4c1fddcb1ef47e86c250efbd3193b4d90a5682b296891119705e3761

Download Submit
memory/4492-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4492-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4492-19-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/4492-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4492-25-0x0000000004D60000-0x0000000004D7D000-memory.dmp

Filesize
116KB

Download
memory/4492-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4804-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4804-1-0x00000000001B0000-0x00000000001BF000-memory.dmp

Filesize
60KB

Download
memory/4804-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4804-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download