acfdbc2fb1003c4d685d5825391bd3bbc37398430f3eb3c091b9164a03903b84

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e3e1704e5ae0eexeexeexeex.exe
Size

42KB
MD5

4e3e1704e5ae0e27a77ce2de4ffd94ad
SHA1

cec6a328073b1d030be6965430de5f8a5059e0dd
SHA256

acfdbc2fb1003c4d685d5825391bd3bbc37398430f3eb3c091b9164a03903b84
SHA512

aba5479bdefb36b664b1b26e749cea27fbecaf6a006d624206850b6caa8d63db23a0be765d98977036ed3626e210df1b94ee71f58f3869ad0ff36b9df2d91b6d
SSDEEP

768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5aFr7YOzzOSIE:qUmnpomddpMOtEvwDpjjaYaFACIE

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	4e3e1704e5ae0eexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2972-133-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x000a000000022fa9-145.dat	upx
behavioral2/files/0x000a000000022fa9-147.dat	upx
behavioral2/files/0x000a000000022fa9-148.dat	upx
behavioral2/memory/3328-153-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/2972-152-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3328	2972	4e3e1704e5ae0eexeexeexeex.exe	86
PID 2972 wrote to memory of 3328	2972	4e3e1704e5ae0eexeexeexeex.exe	86
PID 2972 wrote to memory of 3328	2972	4e3e1704e5ae0eexeexeexeex.exe	86

C:\Users\Admin\AppData\Local\Temp\4e3e1704e5ae0eexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4e3e1704e5ae0eexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
5ec20208568bc267a507aa63e2d481a9

SHA1
12f6708c36b1db34d98a3ec154d468bc65c35193

SHA256
9967e1491e9c4f212deb794df190e2ca3076f7a95e809b488280a2d8a15f1ea8

SHA512
b52e60832e8aa5c91096bf7d183c7ca1fc7d4ee1b9ae81747c380b532f9c491483d7c66036a671c263c3e9fd7181389dc9964dc970f6dd1ecdcdef6afe0fd70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
5ec20208568bc267a507aa63e2d481a9

SHA1
12f6708c36b1db34d98a3ec154d468bc65c35193

SHA256
9967e1491e9c4f212deb794df190e2ca3076f7a95e809b488280a2d8a15f1ea8

SHA512
b52e60832e8aa5c91096bf7d183c7ca1fc7d4ee1b9ae81747c380b532f9c491483d7c66036a671c263c3e9fd7181389dc9964dc970f6dd1ecdcdef6afe0fd70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
5ec20208568bc267a507aa63e2d481a9

SHA1
12f6708c36b1db34d98a3ec154d468bc65c35193

SHA256
9967e1491e9c4f212deb794df190e2ca3076f7a95e809b488280a2d8a15f1ea8

SHA512
b52e60832e8aa5c91096bf7d183c7ca1fc7d4ee1b9ae81747c380b532f9c491483d7c66036a671c263c3e9fd7181389dc9964dc970f6dd1ecdcdef6afe0fd70d

Download Submit
memory/2972-133-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2972-134-0x0000000002300000-0x0000000002306000-memory.dmp

Filesize
24KB

Download
memory/2972-135-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/2972-152-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3328-150-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3328-153-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download