fb2c282ead81377e6cad007a4de7a7422a9b183c0657723b18a24f99e64e06ae

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 13:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f561c5aff89398exeexeexeex.exe
Size

57KB
MD5

f561c5aff89398200508a2ce2eab6f0a
SHA1

2b07efc9961e48d57efa571a604fb48f02216073
SHA256

fb2c282ead81377e6cad007a4de7a7422a9b183c0657723b18a24f99e64e06ae
SHA512

a2b4c87ead405221869941464950d62bfc2e9fd64daf42441cd83505b81ca7e36fd4bf0178f10503b00164708b80720e4e3f2630d159d0a8c2b3b6eba1637825
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccCKdulcTPsf6:V6a+pOtEvwDpjv9T

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	f561c5aff89398exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2396	4368	f561c5aff89398exeexeexeex.exe	86
PID 4368 wrote to memory of 2396	4368	f561c5aff89398exeexeexeex.exe	86
PID 4368 wrote to memory of 2396	4368	f561c5aff89398exeexeexeex.exe	86

C:\Users\Admin\AppData\Local\Temp\f561c5aff89398exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f561c5aff89398exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
57KB

MD5
e5f4b27c31bf862e3f9a87738a3622ae

SHA1
27edeec5d44aad4673a4cbd1bbce71105e30de4f

SHA256
bf1bdab00e4f9d2bb8095c86f6ba723dcf0b8d717f9ae5d584d29c8c44dbf65f

SHA512
03706a114b4ad80eb102cda624db8a3495bfc8022fe7a68f52ca78850fab07c918dd819d127162603ab0a05fb0ea273d2fd6687e8a78ba6e743c5b8d62abb5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
57KB

MD5
e5f4b27c31bf862e3f9a87738a3622ae

SHA1
27edeec5d44aad4673a4cbd1bbce71105e30de4f

SHA256
bf1bdab00e4f9d2bb8095c86f6ba723dcf0b8d717f9ae5d584d29c8c44dbf65f

SHA512
03706a114b4ad80eb102cda624db8a3495bfc8022fe7a68f52ca78850fab07c918dd819d127162603ab0a05fb0ea273d2fd6687e8a78ba6e743c5b8d62abb5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
57KB

MD5
e5f4b27c31bf862e3f9a87738a3622ae

SHA1
27edeec5d44aad4673a4cbd1bbce71105e30de4f

SHA256
bf1bdab00e4f9d2bb8095c86f6ba723dcf0b8d717f9ae5d584d29c8c44dbf65f

SHA512
03706a114b4ad80eb102cda624db8a3495bfc8022fe7a68f52ca78850fab07c918dd819d127162603ab0a05fb0ea273d2fd6687e8a78ba6e743c5b8d62abb5b7

Download Submit
memory/2396-149-0x0000000001F60000-0x0000000001F66000-memory.dmp

Filesize
24KB

Download
memory/4368-133-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/4368-134-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download