9378bc2e5d80eda2ad83d562b10040870e7dca725f6644520494392f585e964f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e472c2922fb98a0f41809125360ea5.exe
Size

44KB
MD5

b8e472c2922fb98a0f41809125360ea5
SHA1

e48f04e50e656e18275deee7c65157a85716db7f
SHA256

9378bc2e5d80eda2ad83d562b10040870e7dca725f6644520494392f585e964f
SHA512

99c838b8dea0a56c11e5c1eb0e468731e469c551fd4b65a811ad007c5bc87b1ab175ab97ee3f8d986b0149fdd0f63b61d3e0cd1faf7d9387ac9cfae90b73076f
SSDEEP

768:79inqyNR/QtOOtEvwDpjBKccJVODvcjpbA6q9R:79mqyNhQMOtEvwDpjBzck96U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	b8e472c2922fb98a0f41809125360ea5.exe

Executes dropped EXE 1 IoCs

pid	Process
4100	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4100	4192	b8e472c2922fb98a0f41809125360ea5.exe	84
PID 4192 wrote to memory of 4100	4192	b8e472c2922fb98a0f41809125360ea5.exe	84
PID 4192 wrote to memory of 4100	4192	b8e472c2922fb98a0f41809125360ea5.exe	84

C:\Users\Admin\AppData\Local\Temp\b8e472c2922fb98a0f41809125360ea5.exe
"C:\Users\Admin\AppData\Local\Temp\b8e472c2922fb98a0f41809125360ea5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
fb9294ae0a35cb1c5fdffde14e23176a

SHA1
81dfcc1d9f4d9b50ebca3394839505983d453c57

SHA256
8098949a20d9ed2fafef975ffe1948fd07fc123a9fc8fcc33ff794b487b1a128

SHA512
bd91b2570d441b6e04be154225c20ba091c01f7e6a9736d42ff136035609635415669e4160930f822bc6f6321cb9b023bf09acbd22c2ebf0e0bffe5e5f3745c8

Download Submit
memory/4100-19-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/4100-22-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4192-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4192-1-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/4192-2-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/4192-3-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/4192-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download