019add48a3b4c319340f19a073a9d32bdcd81349fed8c7b04a2ab1ceae361294

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

151da2051275faexe_JC.exe
Size

67KB
MD5

151da2051275fa8222f58966622534be
SHA1

8403649dd363e267a5bc097d0e43f5f488752402
SHA256

019add48a3b4c319340f19a073a9d32bdcd81349fed8c7b04a2ab1ceae361294
SHA512

dae9d3d7bdde056b70635867eeee18800209bcc5abbba607b982d2523d84c885b9bc1a080bf5237d78a4e298bf1e1378c37ceb8662138a0d606b6c36bb07cfb9
SSDEEP

1536:79mqyNhQMOtEvwDpjBPY7xv3gnQe+OHF7n:RlqbOtEvwDpjBgs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	151da2051275faexe_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1324	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1324	1840	151da2051275faexe_JC.exe	86
PID 1840 wrote to memory of 1324	1840	151da2051275faexe_JC.exe	86
PID 1840 wrote to memory of 1324	1840	151da2051275faexe_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\151da2051275faexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\151da2051275faexe_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
67KB

MD5
8abe6a6f1cf46dd22c82be919f1033ac

SHA1
5235fa85155f31c91dfb007d71d0405e09bbbc8b

SHA256
c74ac2f6aecb7d4296db83105d5dbdda9866ef8e8fa87677cf7ddbbca928d94e

SHA512
9ffd3902eafcf94fe989ee2c2a6273e25e58746d1598ba8bd0e6df268c7469779dc183c20a9c69c80585b054ceffe811f5ea30ce8180d57fb0b711d57b6766aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
67KB

MD5
8abe6a6f1cf46dd22c82be919f1033ac

SHA1
5235fa85155f31c91dfb007d71d0405e09bbbc8b

SHA256
c74ac2f6aecb7d4296db83105d5dbdda9866ef8e8fa87677cf7ddbbca928d94e

SHA512
9ffd3902eafcf94fe989ee2c2a6273e25e58746d1598ba8bd0e6df268c7469779dc183c20a9c69c80585b054ceffe811f5ea30ce8180d57fb0b711d57b6766aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
67KB

MD5
8abe6a6f1cf46dd22c82be919f1033ac

SHA1
5235fa85155f31c91dfb007d71d0405e09bbbc8b

SHA256
c74ac2f6aecb7d4296db83105d5dbdda9866ef8e8fa87677cf7ddbbca928d94e

SHA512
9ffd3902eafcf94fe989ee2c2a6273e25e58746d1598ba8bd0e6df268c7469779dc183c20a9c69c80585b054ceffe811f5ea30ce8180d57fb0b711d57b6766aa

Download Submit
memory/1324-151-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/1324-152-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1324-159-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1840-133-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1840-134-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/1840-135-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/1840-136-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/1840-153-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download