242ff0d478e782aca371ff9892c14225d47052acb304f9d068be1c1bf0ae3e16

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3211b63f8e61exe_JC.exe
Size

77KB
MD5

ff3211b63f8e613281970139d2386946
SHA1

4706fa834e664ae6d274c6dd0b1ac368cc57ff13
SHA256

242ff0d478e782aca371ff9892c14225d47052acb304f9d068be1c1bf0ae3e16
SHA512

c3138a194fa825891ee0a16d7f366b7b1aa626c96cfb4bcc85655c9d6943d3a150e4f2f60fcb3c14403b82de6aee7ba9c95f0518bd45678d3635aaadac59631f
SSDEEP

1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTNUOTdSWCPRMoA:T6a+rdOOtEvwDpjNN

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	ff3211b63f8e61exe_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
544	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4404-133-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000231ff-146.dat	upx
behavioral2/files/0x00080000000231ff-149.dat	upx
behavioral2/files/0x00080000000231ff-148.dat	upx
behavioral2/memory/4404-150-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/544-159-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 544	4404	ff3211b63f8e61exe_JC.exe	84
PID 4404 wrote to memory of 544	4404	ff3211b63f8e61exe_JC.exe	84
PID 4404 wrote to memory of 544	4404	ff3211b63f8e61exe_JC.exe	84

C:\Users\Admin\AppData\Local\Temp\ff3211b63f8e61exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ff3211b63f8e61exe_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
77KB

MD5
3bc40d82d548befa9f31d31d74f03e6f

SHA1
5f67608ee7558445ababdb23f1099c0a54124e5e

SHA256
b3104271acb32b8ce8697696b30bc7fd976dd9e65007fc1f7005ac39a59bb227

SHA512
a8bc6e201c559f8977ffa85ad001e4dcc8b4944565383a4d3364f5d887e7822fef01c83539f428612b07a07ec1b0696734d4f51087f12dcd29bf73c09bd9db49

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
77KB

MD5
3bc40d82d548befa9f31d31d74f03e6f

SHA1
5f67608ee7558445ababdb23f1099c0a54124e5e

SHA256
b3104271acb32b8ce8697696b30bc7fd976dd9e65007fc1f7005ac39a59bb227

SHA512
a8bc6e201c559f8977ffa85ad001e4dcc8b4944565383a4d3364f5d887e7822fef01c83539f428612b07a07ec1b0696734d4f51087f12dcd29bf73c09bd9db49

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
77KB

MD5
3bc40d82d548befa9f31d31d74f03e6f

SHA1
5f67608ee7558445ababdb23f1099c0a54124e5e

SHA256
b3104271acb32b8ce8697696b30bc7fd976dd9e65007fc1f7005ac39a59bb227

SHA512
a8bc6e201c559f8977ffa85ad001e4dcc8b4944565383a4d3364f5d887e7822fef01c83539f428612b07a07ec1b0696734d4f51087f12dcd29bf73c09bd9db49

Download Submit
memory/544-152-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/544-153-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/544-159-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4404-133-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4404-134-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/4404-135-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/4404-136-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/4404-150-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download