9d1443fa0e0982b01619aa67082835911a87f3f2a4be5772bc889d5666d5f422

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

694d7f8ec0f10cexeexeexeex.exe
Size

117KB
MD5

694d7f8ec0f10caa9f6c82c26a92c5d1
SHA1

d8c8a9041f052ff63ed7046de9f6ca7d56dc6787
SHA256

9d1443fa0e0982b01619aa67082835911a87f3f2a4be5772bc889d5666d5f422
SHA512

d054be82adbd751869f7b1d62024a42e14313eca74baa134dc7dbcfcc4ebeb29c6d1ea7d36a74f41e4f62dacc6ed39ee539e8a2d20c41a067afb1a3bfa82bfa4
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699G/TG4dY2:AnBdOOtEvwDpj6zU

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	694d7f8ec0f10cexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1464-141-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x000900000002320f-145.dat	upx
behavioral2/files/0x000900000002320f-147.dat	upx
behavioral2/files/0x000900000002320f-148.dat	upx
behavioral2/memory/4756-157-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4756	1464	694d7f8ec0f10cexeexeexeex.exe	85
PID 1464 wrote to memory of 4756	1464	694d7f8ec0f10cexeexeexeex.exe	85
PID 1464 wrote to memory of 4756	1464	694d7f8ec0f10cexeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\694d7f8ec0f10cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\694d7f8ec0f10cexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
117KB

MD5
587ed3f330ec6ce74e325dd8142c03ac

SHA1
216b5659e8ec1d25df3b6556f902f4b67cef42e6

SHA256
835991a0d8cf430585407156ae68fe029161f21355b715c7d2f00130a203036b

SHA512
9e26c38287becac34f1069b49eb113d081d9a9f1f6e1cda126db47d00016d7b70f770394ea68e479a7c3ad0c570a90cdb3e907ffa17f3fbfe74c761739d62def

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
117KB

MD5
587ed3f330ec6ce74e325dd8142c03ac

SHA1
216b5659e8ec1d25df3b6556f902f4b67cef42e6

SHA256
835991a0d8cf430585407156ae68fe029161f21355b715c7d2f00130a203036b

SHA512
9e26c38287becac34f1069b49eb113d081d9a9f1f6e1cda126db47d00016d7b70f770394ea68e479a7c3ad0c570a90cdb3e907ffa17f3fbfe74c761739d62def

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
117KB

MD5
587ed3f330ec6ce74e325dd8142c03ac

SHA1
216b5659e8ec1d25df3b6556f902f4b67cef42e6

SHA256
835991a0d8cf430585407156ae68fe029161f21355b715c7d2f00130a203036b

SHA512
9e26c38287becac34f1069b49eb113d081d9a9f1f6e1cda126db47d00016d7b70f770394ea68e479a7c3ad0c570a90cdb3e907ffa17f3fbfe74c761739d62def

Download Submit
memory/1464-133-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/1464-134-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/1464-141-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4756-151-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/4756-157-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download