85d1292891bd7d39fe3758995a547f9671f868b57f2ee4c23dff2b87a3633a27

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16026356611632exeexeexeex.exe
Size

140KB
MD5

16026356611632f557c42df63e1b5a55
SHA1

dd89e39f8f5cc4cdb5c84e56a5a4b053d2a354ce
SHA256

85d1292891bd7d39fe3758995a547f9671f868b57f2ee4c23dff2b87a3633a27
SHA512

2b14dbf2eae9e6ef80c4bfc37795db537497181d6d43ba3b09b6c016e4957fc7f4ff6067642560c102838713d89d194f2184782e69086f81d6e7dc5a7d04d63a
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbN/PKwNgp699Gjr0BSv:z6a+CdOOtEvwDpjczC

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	16026356611632exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
3796	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4756-141-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000023265-145.dat	upx
behavioral2/files/0x0008000000023265-148.dat	upx
behavioral2/files/0x0008000000023265-147.dat	upx
behavioral2/memory/3796-156-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3796	4756	16026356611632exeexeexeex.exe	87
PID 4756 wrote to memory of 3796	4756	16026356611632exeexeexeex.exe	87
PID 4756 wrote to memory of 3796	4756	16026356611632exeexeexeex.exe	87

C:\Users\Admin\AppData\Local\Temp\16026356611632exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\16026356611632exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
140KB

MD5
3ecb11e52bf3193948100896ef1edbe1

SHA1
94933e2db85e76d275b3531421b89a6c1b9fec50

SHA256
a6100f098974be405ec74e065f9349ed875734634fff5457d7c062c508ecc91d

SHA512
39bd3d12fd9080de03c290f0f2043b1eba2c6a5f46cda2626bc9b265ef499ca63cf21d0e04c44c727af76621f7186fd5895b22005aaaa3349500733ac2784d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
140KB

MD5
3ecb11e52bf3193948100896ef1edbe1

SHA1
94933e2db85e76d275b3531421b89a6c1b9fec50

SHA256
a6100f098974be405ec74e065f9349ed875734634fff5457d7c062c508ecc91d

SHA512
39bd3d12fd9080de03c290f0f2043b1eba2c6a5f46cda2626bc9b265ef499ca63cf21d0e04c44c727af76621f7186fd5895b22005aaaa3349500733ac2784d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
140KB

MD5
3ecb11e52bf3193948100896ef1edbe1

SHA1
94933e2db85e76d275b3531421b89a6c1b9fec50

SHA256
a6100f098974be405ec74e065f9349ed875734634fff5457d7c062c508ecc91d

SHA512
39bd3d12fd9080de03c290f0f2043b1eba2c6a5f46cda2626bc9b265ef499ca63cf21d0e04c44c727af76621f7186fd5895b22005aaaa3349500733ac2784d18

Download Submit
memory/3796-150-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3796-156-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4756-133-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/4756-134-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/4756-141-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download