7c5e4b38d6ede543d6c434a20643720c95a971acc2e5f84fcbae55e3971ae59a

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c870be3aa0c026exeexeexeex.exe
Size

80KB
MD5

c870be3aa0c02698ce89adda402f2bfa
SHA1

4e88f12677221ed77a5c3a5913af8350b3fa695f
SHA256

7c5e4b38d6ede543d6c434a20643720c95a971acc2e5f84fcbae55e3971ae59a
SHA512

8d182ce6a442a0905d137e023da3846362da2417de949017f4d7c26f7ac07a9e97e2ece99d6f234d045512a948fd231325480151b56b7516a4efb599fbc8d63d
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalDSnU5L:1nK6a+qdOOtEvwDpjK

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	c870be3aa0c026exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
1384	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3244-136-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x00070000000231e0-144.dat	upx
behavioral2/files/0x00070000000231e0-147.dat	upx
behavioral2/files/0x00070000000231e0-148.dat	upx
behavioral2/memory/1384-156-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1384	3244	c870be3aa0c026exeexeexeex.exe	85
PID 3244 wrote to memory of 1384	3244	c870be3aa0c026exeexeexeex.exe	85
PID 3244 wrote to memory of 1384	3244	c870be3aa0c026exeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\c870be3aa0c026exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c870be3aa0c026exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
80KB

MD5
85c040a4e0b24e68c520a9820ba29b60

SHA1
8a55a0488957c34730ef3713976ec50d47d89481

SHA256
4947d478595a6bdfc6359e9d34c653839151a5eda6e8d60b22664fdc7476106f

SHA512
47f99ead92d2df73dc6e3aacb4f9158521fa37b0b4890de5f245f9f21ec21d3869d5d407fd731c16d1c9a9dd1ecec124c4d269c8d1d738130dff27d43fa056b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
80KB

MD5
85c040a4e0b24e68c520a9820ba29b60

SHA1
8a55a0488957c34730ef3713976ec50d47d89481

SHA256
4947d478595a6bdfc6359e9d34c653839151a5eda6e8d60b22664fdc7476106f

SHA512
47f99ead92d2df73dc6e3aacb4f9158521fa37b0b4890de5f245f9f21ec21d3869d5d407fd731c16d1c9a9dd1ecec124c4d269c8d1d738130dff27d43fa056b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
80KB

MD5
85c040a4e0b24e68c520a9820ba29b60

SHA1
8a55a0488957c34730ef3713976ec50d47d89481

SHA256
4947d478595a6bdfc6359e9d34c653839151a5eda6e8d60b22664fdc7476106f

SHA512
47f99ead92d2df73dc6e3aacb4f9158521fa37b0b4890de5f245f9f21ec21d3869d5d407fd731c16d1c9a9dd1ecec124c4d269c8d1d738130dff27d43fa056b8

Download Submit
memory/1384-150-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/1384-156-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/3244-133-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/3244-134-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/3244-136-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download