d48172531a997afe65bea4929f4920f70a3f43bcec5b07c98023d79612208018

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e530c1f44cf81bexeexeexeex.exe
Size

102KB
MD5

e530c1f44cf81bc01512b3518f9ffe9b
SHA1

7d5d751568c64d1fd253f36a4ea8b128bf091df1
SHA256

d48172531a997afe65bea4929f4920f70a3f43bcec5b07c98023d79612208018
SHA512

0f440013c103871e23da0becf69f8b641a94de522ab6530d84ea4634cb3868228c49f06669d8fc9a58beebd147d28a0f0543dcfad6c0c9114e3809a47986fd2f
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalRn5iF1j6GR8A:1nK6a+qdOOtEvwDpjt

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	e530c1f44cf81bexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1208-141-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x0007000000023261-145.dat	upx
behavioral2/files/0x0007000000023261-147.dat	upx
behavioral2/files/0x0007000000023261-148.dat	upx
behavioral2/memory/4992-156-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4992	1208	e530c1f44cf81bexeexeexeex.exe	85
PID 1208 wrote to memory of 4992	1208	e530c1f44cf81bexeexeexeex.exe	85
PID 1208 wrote to memory of 4992	1208	e530c1f44cf81bexeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\e530c1f44cf81bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\e530c1f44cf81bexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
102KB

MD5
15a3a97c0aac307c42d4e9facccaf4da

SHA1
c714fcfc4ea8948c895f3f557b4bf51ff5ed1397

SHA256
1e14569268ae8a1d5f8c52ef3041c822b258915a499c4f7ea5bc2c6568492380

SHA512
510d4accd54445cc7990ec17d1fec590b988bb43aa25a25305191d3e147a7a2c16bc92b4f3d99c3284ba4ae866ef85c97bdfcade06f6b246928dd55820af4dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
102KB

MD5
15a3a97c0aac307c42d4e9facccaf4da

SHA1
c714fcfc4ea8948c895f3f557b4bf51ff5ed1397

SHA256
1e14569268ae8a1d5f8c52ef3041c822b258915a499c4f7ea5bc2c6568492380

SHA512
510d4accd54445cc7990ec17d1fec590b988bb43aa25a25305191d3e147a7a2c16bc92b4f3d99c3284ba4ae866ef85c97bdfcade06f6b246928dd55820af4dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
102KB

MD5
15a3a97c0aac307c42d4e9facccaf4da

SHA1
c714fcfc4ea8948c895f3f557b4bf51ff5ed1397

SHA256
1e14569268ae8a1d5f8c52ef3041c822b258915a499c4f7ea5bc2c6568492380

SHA512
510d4accd54445cc7990ec17d1fec590b988bb43aa25a25305191d3e147a7a2c16bc92b4f3d99c3284ba4ae866ef85c97bdfcade06f6b246928dd55820af4dbc

Download Submit
memory/1208-133-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/1208-134-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/1208-141-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/4992-150-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4992-156-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download