779869dc9547fc319ca353352595c0adf6302d14eb3e8c0e89bb4be4bd250417

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea38b1d286c5f23c10ac6839b8da1e39.exe
Size

75KB
MD5

ea38b1d286c5f23c10ac6839b8da1e39
SHA1

adbb4590655d374ae321de45d3cc965b590cd29a
SHA256

779869dc9547fc319ca353352595c0adf6302d14eb3e8c0e89bb4be4bd250417
SHA512

223c6ee8bb2dbe9c95a33bc0a936d040260b30d12499d4e2b25f7e5ded3cd57d1ef85c159667d74da4c7d8bc3dfc22cd4d56c3e1dc1a4c3233f173150e599c23
SSDEEP

1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTNUOAkXtBdxPUxaN:T6a+rdOOtEvwDpjNtHPr

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ea38b1d286c5f23c10ac6839b8da1e39.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4992-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000d00000002315a-13.dat	upx
behavioral2/memory/4992-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4984-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4984	4992	ea38b1d286c5f23c10ac6839b8da1e39.exe	85
PID 4992 wrote to memory of 4984	4992	ea38b1d286c5f23c10ac6839b8da1e39.exe	85
PID 4992 wrote to memory of 4984	4992	ea38b1d286c5f23c10ac6839b8da1e39.exe	85

C:\Users\Admin\AppData\Local\Temp\ea38b1d286c5f23c10ac6839b8da1e39.exe
"C:\Users\Admin\AppData\Local\Temp\ea38b1d286c5f23c10ac6839b8da1e39.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
75KB

MD5
a1258ca4837e98be5d4adaf07f4d6962

SHA1
1486b5bbd96c724a773c5833cbd317164d1c8bc6

SHA256
a4a81e1a8f4f21dfa36355609d022f3a88a5b1e927a685112dc225d8c784ad97

SHA512
038923cd8b2672f8f5f8a87917c681b9f2c3404804e9cf20399131e63e294ffd3d5fd29d2489c17b59013ef6aac474933c746c8906a87eb6700f17324e42e9a0

Download Submit
memory/4984-19-0x00000000007D0000-0x00000000007D6000-memory.dmp

Filesize
24KB

Download
memory/4984-23-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4984-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4992-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4992-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4992-2-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4992-3-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/4992-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download