Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 02:30
Behavioral task
behavioral1
Sample
8a345f7f8bba72c8245d7fd2ebcfe081.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8a345f7f8bba72c8245d7fd2ebcfe081.exe
Resource
win10v2004-20240226-en
General
-
Target
8a345f7f8bba72c8245d7fd2ebcfe081.exe
-
Size
106KB
-
MD5
8a345f7f8bba72c8245d7fd2ebcfe081
-
SHA1
a99acee5b43b03409bc916802d44a0d525112973
-
SHA256
81e10af2c84b5723be791c293d4204f99e73d3090d6550245fd612a14bce2dcb
-
SHA512
57f1d2fa39602e735d9467fe7e72b00b7cae376870ebba6cfe6a1d2ba8eaa4d2ad4ab0724988fc9ab0cc1b3c2a5e423a0f5560e29fffd31e1211a97fb1fdea81
-
SSDEEP
1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalRn5iF1j6GksC:1nK6a+qdOOtEvwDpjC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 8a345f7f8bba72c8245d7fd2ebcfe081.exe -
Executes dropped EXE 1 IoCs
pid Process 4016 asih.exe -
resource yara_rule behavioral2/memory/676-0-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/files/0x0008000000023210-13.dat upx behavioral2/memory/676-19-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/memory/4016-17-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/memory/4016-27-0x0000000000500000-0x000000000050F311-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 676 wrote to memory of 4016 676 8a345f7f8bba72c8245d7fd2ebcfe081.exe 91 PID 676 wrote to memory of 4016 676 8a345f7f8bba72c8245d7fd2ebcfe081.exe 91 PID 676 wrote to memory of 4016 676 8a345f7f8bba72c8245d7fd2ebcfe081.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a345f7f8bba72c8245d7fd2ebcfe081.exe"C:\Users\Admin\AppData\Local\Temp\8a345f7f8bba72c8245d7fd2ebcfe081.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD594702d2aace6d2c72d168460b7211f24
SHA1381a8124a1889b66b9d6b3921c56c8db8305362a
SHA2567f74187fe5fbea20d9bc1a9f14f4bb797d46479115a90e5a449d1730d9dc9a2e
SHA5125e95a21b4c1e15319f2592133989b7beee5a63651ac2e7d421c4ec1b5b58e58c8fbbe80c08cac0917097d1efebdd9dabbfa09aa73e6619bcda98af5fb0b0dcc7