12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c

Analysis

max time kernel
138s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4849207a94d1db4a0211f88e84b0b59.exe
Size

44KB
MD5

c4849207a94d1db4a0211f88e84b0b59
SHA1

32ef2a074d563370f46738565ecf9bb53c75909c
SHA256

12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c
SHA512

4595c476f288edecdf9ddf441ce3ee0c8e2e4d0a69cdb533d157aaed490e6ee181f0844c38f399460b4e39fd7f11be1d561e2ea7b8823a0240f92f11b4a80529
SSDEEP

768:nGJILQETLKVsHTcIFUUNIvKiuFdq/29VujFAPR4NP+s8yNzY:NRTLksHThteedTmjFTNP71Nz

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c4849207a94d1db4a0211f88e84b0b59.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	aspimgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2184-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2184-14-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aspimgr.exe	c4849207a94d1db4a0211f88e84b0b59.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ws386.ini	c4849207a94d1db4a0211f88e84b0b59.exe
File created	C:\Windows\s32.txt	aspimgr.exe
File opened for modification	C:\Windows\s32.txt	aspimgr.exe
File opened for modification	C:\Windows\g32.txt	aspimgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3180	2184	c4849207a94d1db4a0211f88e84b0b59.exe	102
PID 2184 wrote to memory of 3180	2184	c4849207a94d1db4a0211f88e84b0b59.exe	102
PID 2184 wrote to memory of 3180	2184	c4849207a94d1db4a0211f88e84b0b59.exe	102

C:\Users\Admin\AppData\Local\Temp\c4849207a94d1db4a0211f88e84b0b59.exe
"C:\Users\Admin\AppData\Local\Temp\c4849207a94d1db4a0211f88e84b0b59.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_check32.bat" "
  2⤵
  PID:3180

C:\Windows\SysWOW64\aspimgr.exe
C:\Windows\SysWOW64\aspimgr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_check32.bat

Filesize
179B

MD5
8d88836945c0c6c595ea8438b3f3aedb

SHA1
51b82432c864476c5b961694ed5a1a9febd204db

SHA256
e6a5cac5d9df297aeec62b76253215c82f6bd1fae77317542fe2e7e054808366

SHA512
87130ab2f8e9cdb892ad54110a82f6edc68f575ff07bbef4cd3fabc4a64b2278879c3daac371eae0e4cf7b80a9c93858a61460dad03f44fa8039ff793060251c

Download Submit
C:\Windows\SysWOW64\aspimgr.exe

Filesize
72KB

MD5
9443e9bbac3b1fb5a21b3bbc3ec92ed1

SHA1
d6e0e331293b2f769ae031a1645e69ca88a4ee72

SHA256
2fef9a1a0eb6d0c1a0f7bbf91633e48ce1f3348c5ffb1a212284fd68ba93907b

SHA512
c582321e4b59d4b9060460b6bf12709a207ca97a389b07701112d1993e641813076944865d3fda68c75cda611376b4683735da1822949a1c93c8a2a3f3341555

Download Submit
C:\Windows\s32.txt

Filesize
57B

MD5
6d5a6ae5a286557b4bd2dde7d664a33f

SHA1
0c0337f8a9b19d0f749547578b4907506c0fcf9f

SHA256
bd16bd826602c6547a8a95239225ae225df7b3046bd08b8d96c414003cbf12e7

SHA512
b4d3172657627ec8467d535c4140b02d643009472caa6dc5ea5f898bcc9bab922144bc4a352a22c56e0800087a82ea366ae92134725ed68b20ed7ebaaa2f5e34

Download Submit
C:\Windows\ws386.ini

Filesize
12B

MD5
145a421f70a122cc3f1488ae41d7193d

SHA1
473597bdf6f29059803c8d9bbac3d155781f4086

SHA256
59f9728f7447230980c9c937606092fa608abadef7e1d0beda91b4ccd8254a38

SHA512
a93ae89937e81cd39b3b329194007426c13a13b740d623fbdd3429f76b3e9ce7f06a1ba1399962a7bfb0859b8de429ec65fe91183dd23103845e98ea633e0550

Download Submit
memory/2184-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2184-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download