2f5622e67611fe6423897010d59758773d994d7b587f1ba098bd9148cb7a1493

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d487da39a0c300exeexeexeex.exe
Size

63KB
MD5

d487da39a0c300e49109df3f3acd76b2
SHA1

2abb4c3b22eeb2079c250b9bc5192e4943dc9b8f
SHA256

2f5622e67611fe6423897010d59758773d994d7b587f1ba098bd9148cb7a1493
SHA512

d57d8fcb5892cc5cc46d543b1af069f8dfecb9ba2f20e5bd4b26a031bbe5a3d61699c0ebe4439c6785ad9e06b280a7f8b83740a18a50c5483693e3df53784d30
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj9aYaFAetiD:z6a+CdOOtEvwDpjQe

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	d487da39a0c300exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1556-133-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0009000000022fa3-145.dat	upx
behavioral2/files/0x0009000000022fa3-147.dat	upx
behavioral2/files/0x0009000000022fa3-148.dat	upx
behavioral2/memory/1556-149-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1488-157-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1488	1556	d487da39a0c300exeexeexeex.exe	85
PID 1556 wrote to memory of 1488	1556	d487da39a0c300exeexeexeex.exe	85
PID 1556 wrote to memory of 1488	1556	d487da39a0c300exeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\d487da39a0c300exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d487da39a0c300exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
63KB

MD5
84e725dc0a0aeae0447b499d5dd015f1

SHA1
0215e3a4fc570ca65b251752b822e2ccde41b94b

SHA256
ee2f74788ea9c8081d52d84dd05cab7f3f8f8dce8291165fe1bb0e650046edf6

SHA512
c7151a11b1258ddc14edde6c68009294dc17eb5ec69dd598cb56ae4ee2454b29a152b0a5b3853d82efd6ebafefcdaa1328daa3492b04516a2440020ba19316a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
63KB

MD5
84e725dc0a0aeae0447b499d5dd015f1

SHA1
0215e3a4fc570ca65b251752b822e2ccde41b94b

SHA256
ee2f74788ea9c8081d52d84dd05cab7f3f8f8dce8291165fe1bb0e650046edf6

SHA512
c7151a11b1258ddc14edde6c68009294dc17eb5ec69dd598cb56ae4ee2454b29a152b0a5b3853d82efd6ebafefcdaa1328daa3492b04516a2440020ba19316a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
63KB

MD5
84e725dc0a0aeae0447b499d5dd015f1

SHA1
0215e3a4fc570ca65b251752b822e2ccde41b94b

SHA256
ee2f74788ea9c8081d52d84dd05cab7f3f8f8dce8291165fe1bb0e650046edf6

SHA512
c7151a11b1258ddc14edde6c68009294dc17eb5ec69dd598cb56ae4ee2454b29a152b0a5b3853d82efd6ebafefcdaa1328daa3492b04516a2440020ba19316a0

Download Submit
memory/1488-151-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/1488-157-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1556-133-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1556-134-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/1556-135-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/1556-149-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download