ab1d4ae7528e91206a2b2374d5db83291df56b41be3d1f83eccb21b240f3a8bc

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

407f96162d507a23d71d0ee1dc42e055.exe
Size

51KB
MD5

407f96162d507a23d71d0ee1dc42e055
SHA1

f16b9fe9f4a103eddf7de56d12d7bbcb52ecc236
SHA256

ab1d4ae7528e91206a2b2374d5db83291df56b41be3d1f83eccb21b240f3a8bc
SHA512

3886b0696a9c323218c87065ab7d7c5f62af83fa322b95ec047b272c5f50d9db19197ccd65466ab144aa95ddd2db92cc0740c327f48ce3c61bc2d583e432af00
SSDEEP

768:qkZa1tZm83YNn0an2a9w8ud5Io8sXuUQR4r+L6tgU02OKAdRgMC:qkYap0an2a93udFurW+L6tgU0tDdWr

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	407f96162d507a23d71d0ee1dc42e055.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	aspimgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3404-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3404-10-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aspimgr.exe	407f96162d507a23d71d0ee1dc42e055.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\g32.txt	aspimgr.exe
File opened for modification	C:\Windows\ws386.ini	407f96162d507a23d71d0ee1dc42e055.exe
File created	C:\Windows\db32.txt	407f96162d507a23d71d0ee1dc42e055.exe
File created	C:\Windows\s32.txt	aspimgr.exe
File opened for modification	C:\Windows\s32.txt	aspimgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3476	3404	407f96162d507a23d71d0ee1dc42e055.exe	96
PID 3404 wrote to memory of 3476	3404	407f96162d507a23d71d0ee1dc42e055.exe	96
PID 3404 wrote to memory of 3476	3404	407f96162d507a23d71d0ee1dc42e055.exe	96

C:\Users\Admin\AppData\Local\Temp\407f96162d507a23d71d0ee1dc42e055.exe
"C:\Users\Admin\AppData\Local\Temp\407f96162d507a23d71d0ee1dc42e055.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_check32.bat" "
  2⤵
  PID:3476

C:\Windows\SysWOW64\aspimgr.exe
C:\Windows\SysWOW64\aspimgr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_check32.bat

Filesize
179B

MD5
cb2168f2241460ff2380d5177b48e9c3

SHA1
4f8f35100003c578160dd3acc48041a6dbcd7a6b

SHA256
45af310dce31243d2525752d7b422008881fa8cbbc70538b48cac0f5cd9eb24e

SHA512
af307a496b452d55212f06a91a4b9cc89e77f01caea603603221f318453eeaff48a07ca481625b9112b250e43c66ab4d0a595e9d3aca2948ff8f4b2a40d5a3ee

Download Submit
C:\Windows\SysWOW64\aspimgr.exe

Filesize
84KB

MD5
bb470d9076b61f0b660e060dd756c918

SHA1
69e2e4ac5888aea0bc2cac617eca46398a59329e

SHA256
d82b23b25dc47aa2f0a0a48e5b7627d0626804e77dba005b3d5d0be430bade11

SHA512
bccaecc6746851ac9147c735f2b3d0818699b1ae665a1aa5c9fb2aa93f384f0bebc032fe5691f9e9f9a0ddb46e6e405910a3a171b6bf8e843612cb80d9d631a5

Download Submit
C:\Windows\db32.txt

Filesize
100B

MD5
0ec43532ebb4cb128756cae16a6c8a1f

SHA1
c1003014cd2c0682e59f00fbb195e4926774c45a

SHA256
c7ef2d1f7b0b6339ed60881718c5f76cf1b44292ad6b6c7b7fe5cfb4658e7562

SHA512
c7d95cd687ad9a3a21057348a5da7f140cae9b29de90a494a6062297a6c7d9a82c6d6c2293e764552e004465cb4d80a4d8cd07915771efd3cf71de00e6aa9086

Download Submit
C:\Windows\s32.txt

Filesize
129B

MD5
6e82b6ad2da0e27134d0fdd68683bad3

SHA1
973cdd2ed16b4821700aa4e7c6b6f50f44d8226a

SHA256
2b02bfda78caf445809c6fdf594610a0f2631abd48578ebed9eb4b30f7076eb5

SHA512
fb8a5306962307ed20c05b4c1eb959f2348928890d18ea3f237f145a22b73e32847ddcf3aaf5d5d1a7ed9734cebc53894bc91164b0b6a46d7c343cb1ab84d014

Download Submit
C:\Windows\ws386.ini

Filesize
12B

MD5
8380fe76ec1fec63ada498b0fefac689

SHA1
61e4017ca864f2f076f039d9524ed13129957e2f

SHA256
5f7305a68d0aac54587f4ca0183056b30160ac1fbe7bfc7097415d65549c4453

SHA512
7ac4832e8f394790e0bf8b7094e12e1163693e946529271d162922f78549c03d687c2820298471c45a613858edc70b7cc9f1168850981d0b476c9155a0ffb5d5

Download Submit
memory/3404-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3404-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download