Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
08/07/2023, 16:27
General
-
Target
8192d088d86e04exeexeexeex.exe
-
Size
79KB
-
MD5
8192d088d86e04c9e466c6488044f21e
-
SHA1
2567b3ec224ee12e77a8db151ebd29f5ea56763a
-
SHA256
68d2184a25dd643afca3cc438bdc898e1cf8257e051c8e589900beb99ed91f1b
-
SHA512
2e2d648911794e063fec5644c42f3b0a4882379ad26ee91607105b22480868b31fdcab67d97356cc19defa7f3b2bc1851a1747c3dbfa2c655c86fb700be738db
-
SSDEEP
1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalDSnUTd:1nK6a+qdOOtEvwDpjG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8192d088d86e04exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\8192d088d86e04exeexeexeex.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD56143dfa91e439543444eae2922b334ad
SHA1d6a8ac226f253bb29aeaa23a4c72b3541d8711b1
SHA256fdb00e2ee339f63c9d2e1a503ccec95f6e540381a9ad808d38b8cc5b022cf6ba
SHA5121686059f526ae339d0003dc9baf8cf00a920b84babf248a2b3c19c2c4413682993b6c6c264e68e9b2051febec570474e7307d5f1c794be19e87721b338cb485d
-
Filesize
80KB
MD56143dfa91e439543444eae2922b334ad
SHA1d6a8ac226f253bb29aeaa23a4c72b3541d8711b1
SHA256fdb00e2ee339f63c9d2e1a503ccec95f6e540381a9ad808d38b8cc5b022cf6ba
SHA5121686059f526ae339d0003dc9baf8cf00a920b84babf248a2b3c19c2c4413682993b6c6c264e68e9b2051febec570474e7307d5f1c794be19e87721b338cb485d
-
Filesize
80KB
MD56143dfa91e439543444eae2922b334ad
SHA1d6a8ac226f253bb29aeaa23a4c72b3541d8711b1
SHA256fdb00e2ee339f63c9d2e1a503ccec95f6e540381a9ad808d38b8cc5b022cf6ba
SHA5121686059f526ae339d0003dc9baf8cf00a920b84babf248a2b3c19c2c4413682993b6c6c264e68e9b2051febec570474e7307d5f1c794be19e87721b338cb485d
-
Filesize
60KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
60KB
-
Filesize
24KB
-
Filesize
60KB