9ff7cc90da4d2b622e4d59378a71b8eeaa32441fa42757091d983a7fece85d51

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 16:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1d8cef22bddefexeexeexeex.exe
Size

100KB
MD5

d1d8cef22bddef4ddf1d1e2070027870
SHA1

6c0c8506dd8fefc7a5b06456e790bbfcc81ebd35
SHA256

9ff7cc90da4d2b622e4d59378a71b8eeaa32441fa42757091d983a7fece85d51
SHA512

9cd0de8c6863745fdf85c917a8d0a99196bdcf284508cd76bf84f20443474c08028859f25c82f800e909775d5c298e5e022ddbf2708182745980dd668a2cb78f
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalRn5iF1j6Gkdo:1nK6a+qdOOtEvwDpjp

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	d1d8cef22bddefexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
3904	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2828-133-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x000800000002320c-145.dat	upx
behavioral2/files/0x000800000002320c-147.dat	upx
behavioral2/files/0x000800000002320c-148.dat	upx
behavioral2/memory/2828-149-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/memory/3904-157-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3904	2828	d1d8cef22bddefexeexeexeex.exe	84
PID 2828 wrote to memory of 3904	2828	d1d8cef22bddefexeexeexeex.exe	84
PID 2828 wrote to memory of 3904	2828	d1d8cef22bddefexeexeexeex.exe	84

C:\Users\Admin\AppData\Local\Temp\d1d8cef22bddefexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d1d8cef22bddefexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
e0a79739a87c49a1b610a8169e091304

SHA1
d35ddad934c568ed4a66f23c0dba551ef4df518a

SHA256
cf229dfb28da50c4e6a641870e9106590fa4d14aa6e8e2553fe5b54e80e16fe4

SHA512
df766df9eda5cc0d673059ebde9e4b8f974374aa5d5562641a06ffd3526e68ead8b13995117f5ec217da05d2f59ff76d449aa7cfc89357deb74ef426412707c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
e0a79739a87c49a1b610a8169e091304

SHA1
d35ddad934c568ed4a66f23c0dba551ef4df518a

SHA256
cf229dfb28da50c4e6a641870e9106590fa4d14aa6e8e2553fe5b54e80e16fe4

SHA512
df766df9eda5cc0d673059ebde9e4b8f974374aa5d5562641a06ffd3526e68ead8b13995117f5ec217da05d2f59ff76d449aa7cfc89357deb74ef426412707c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
e0a79739a87c49a1b610a8169e091304

SHA1
d35ddad934c568ed4a66f23c0dba551ef4df518a

SHA256
cf229dfb28da50c4e6a641870e9106590fa4d14aa6e8e2553fe5b54e80e16fe4

SHA512
df766df9eda5cc0d673059ebde9e4b8f974374aa5d5562641a06ffd3526e68ead8b13995117f5ec217da05d2f59ff76d449aa7cfc89357deb74ef426412707c7

Download Submit
memory/2828-133-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2828-134-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2828-135-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/2828-149-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/3904-151-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3904-157-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download