Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
06/07/2023, 11:34
General
-
Target
22c618cd31490eexeexeexeex.exe
-
Size
119KB
-
MD5
22c618cd31490ef305529211a00ee95f
-
SHA1
5a03199f4f23f293d0aa15b308b552b2aeee219e
-
SHA256
c41acaa0af0b4936284bec09508b8d060f00c9f7521a7e517d95368cfdb5856e
-
SHA512
8a82c3c886573e921a7c62abf67ee579f273095fc214f9de7ad4df17c4c1b60551fb1c0f4b10e08fe984b20b7e29de1349c6c3bc484a5c6c769cce0be1ce611a
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1ec:AnBdOOtEvwDpj6zi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\22c618cd31490eexeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\22c618cd31490eexeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5ce8579c3941831b9b1b45046a5336941
SHA129b05e89d2ee054f35e722ab5168133a05fe0045
SHA256dad275277b5051cfe1e47a8ca37b0c38758bb3ff51b980c96288541c1ad2a6c2
SHA512c0320a71cac72c6dcf06293011438e8e630a7144913dfe430b1e215959dde09c1cffd30058524b3abea124fa1cd6f536589b9ee6031b0be0094cb772b97abbbc
-
Filesize
119KB
MD5ce8579c3941831b9b1b45046a5336941
SHA129b05e89d2ee054f35e722ab5168133a05fe0045
SHA256dad275277b5051cfe1e47a8ca37b0c38758bb3ff51b980c96288541c1ad2a6c2
SHA512c0320a71cac72c6dcf06293011438e8e630a7144913dfe430b1e215959dde09c1cffd30058524b3abea124fa1cd6f536589b9ee6031b0be0094cb772b97abbbc
-
Filesize
119KB
MD5ce8579c3941831b9b1b45046a5336941
SHA129b05e89d2ee054f35e722ab5168133a05fe0045
SHA256dad275277b5051cfe1e47a8ca37b0c38758bb3ff51b980c96288541c1ad2a6c2
SHA512c0320a71cac72c6dcf06293011438e8e630a7144913dfe430b1e215959dde09c1cffd30058524b3abea124fa1cd6f536589b9ee6031b0be0094cb772b97abbbc
-
Filesize
24KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
60KB