Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2023 22:07
Behavioral task
behavioral1
Sample
NA_067870e427a45fexe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
NA_067870e427a45fexe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
NA_067870e427a45fexe_JC.exe
-
Size
40KB
-
MD5
067870e427a45f93f5342882008042ff
-
SHA1
2d25a1fe658e62e19934bd06d8abcfa0663087fd
-
SHA256
339627d9a9a13fac6c15ce787aec15064e3146c156d14481d0893ac20eff012d
-
SHA512
9b6457b00630391e93752584a0c5c424e12edbc61d56c9d083725da91ba56821046fea1f007828b46fa803f9b858d8b0dab0b11004359915d06fda0bba45480c
-
SSDEEP
768:qUmnjFom/kLyMro2GtOOtEvwDpjeMLam5aFr7YOzzOQjCMQ:qUmnpomddpMOtEvwDpjjaYaFAetQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation NA_067870e427a45fexe_JC.exe -
Executes dropped EXE 1 IoCs
pid Process 2168 asih.exe -
resource yara_rule behavioral2/memory/216-133-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/files/0x00060000000231e6-146.dat upx behavioral2/files/0x00060000000231e6-148.dat upx behavioral2/files/0x00060000000231e6-149.dat upx behavioral2/memory/216-150-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/memory/2168-159-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 216 wrote to memory of 2168 216 NA_067870e427a45fexe_JC.exe 84 PID 216 wrote to memory of 2168 216 NA_067870e427a45fexe_JC.exe 84 PID 216 wrote to memory of 2168 216 NA_067870e427a45fexe_JC.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\NA_067870e427a45fexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NA_067870e427a45fexe_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5524cd8c78a17febfc5b8bb9275a5677b
SHA19b8759e9d2d2ad52ee67370eec9566014702edfc
SHA256e3459908f4c3f54372c4205a444a1757e2f731a9c3434bcb6c3ed2550345352c
SHA5128776c75aeaa2ad74f7aa239c20974b4ebb8263c33edd614dd88a8eb4be8c9c645d18972929b5d4b7ea5ca201362fbb683cc2a3ccea195db73dcbcef5262c320b
-
Filesize
40KB
MD5524cd8c78a17febfc5b8bb9275a5677b
SHA19b8759e9d2d2ad52ee67370eec9566014702edfc
SHA256e3459908f4c3f54372c4205a444a1757e2f731a9c3434bcb6c3ed2550345352c
SHA5128776c75aeaa2ad74f7aa239c20974b4ebb8263c33edd614dd88a8eb4be8c9c645d18972929b5d4b7ea5ca201362fbb683cc2a3ccea195db73dcbcef5262c320b
-
Filesize
40KB
MD5524cd8c78a17febfc5b8bb9275a5677b
SHA19b8759e9d2d2ad52ee67370eec9566014702edfc
SHA256e3459908f4c3f54372c4205a444a1757e2f731a9c3434bcb6c3ed2550345352c
SHA5128776c75aeaa2ad74f7aa239c20974b4ebb8263c33edd614dd88a8eb4be8c9c645d18972929b5d4b7ea5ca201362fbb683cc2a3ccea195db73dcbcef5262c320b