20be63cab5e07464e7d5dd6148ccf85dd579d0e7c904671386d4d7111e5d231f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2023 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc8ff6ad874218exeexeexeex.exe
Size

86KB
MD5

fc8ff6ad8742185e322dad2e42c49d94
SHA1

c0ed719d1321dd4523cd5b423b49e7d8d5009237
SHA256

20be63cab5e07464e7d5dd6148ccf85dd579d0e7c904671386d4d7111e5d231f
SHA512

c382b1618f8df8201e3660a8a29bcd69bbc8fbdb893c254b79d01b5cea65262c911416cbc597736a394e6965f22a70e5a7861d992d54262e2c3b2294a722f7a1
SSDEEP

1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTNUOTFBEa2x0jC:T6a+rdOOtEvwDpjNQ

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	fc8ff6ad874218exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4048-133-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000231fc-145.dat	upx
behavioral2/files/0x00080000000231fc-147.dat	upx
behavioral2/files/0x00080000000231fc-148.dat	upx
behavioral2/memory/4048-150-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2216-156-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 2216	4048	fc8ff6ad874218exeexeexeex.exe	86
PID 4048 wrote to memory of 2216	4048	fc8ff6ad874218exeexeexeex.exe	86
PID 4048 wrote to memory of 2216	4048	fc8ff6ad874218exeexeexeex.exe	86

C:\Users\Admin\AppData\Local\Temp\fc8ff6ad874218exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fc8ff6ad874218exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
86KB

MD5
15102222d901f6ec99b5ba807ae715a6

SHA1
ddb96bb63be92634e3ee081acd03d8762fc1c84c

SHA256
53b2fb344aaaa5ce7a835d4d43fa6aecdcef41fdaf1def91f68a34c4166dd71c

SHA512
08f700d5e3836c18525f5796b2f4ed2aa8c6ea8849df1c4394d13dcc6a12c70253abc987f3954e04e382f22dbb070efc31bb76ee4b65b44573d8797ffab8e89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
86KB

MD5
15102222d901f6ec99b5ba807ae715a6

SHA1
ddb96bb63be92634e3ee081acd03d8762fc1c84c

SHA256
53b2fb344aaaa5ce7a835d4d43fa6aecdcef41fdaf1def91f68a34c4166dd71c

SHA512
08f700d5e3836c18525f5796b2f4ed2aa8c6ea8849df1c4394d13dcc6a12c70253abc987f3954e04e382f22dbb070efc31bb76ee4b65b44573d8797ffab8e89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
86KB

MD5
15102222d901f6ec99b5ba807ae715a6

SHA1
ddb96bb63be92634e3ee081acd03d8762fc1c84c

SHA256
53b2fb344aaaa5ce7a835d4d43fa6aecdcef41fdaf1def91f68a34c4166dd71c

SHA512
08f700d5e3836c18525f5796b2f4ed2aa8c6ea8849df1c4394d13dcc6a12c70253abc987f3954e04e382f22dbb070efc31bb76ee4b65b44573d8797ffab8e89c

Download Submit
memory/2216-151-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2216-156-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4048-133-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4048-134-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/4048-135-0x0000000002060000-0x0000000002066000-memory.dmp

Filesize
24KB

Download
memory/4048-150-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download