38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe
Size

63KB
MD5

1b3e76aabb06d85e65e95e0ba18c5bbb
SHA1

36913ffefcc3971c1de9e909e68d83ad23fb2946
SHA256

38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e
SHA512

dbcb2ea8f1b7aeeb0b5966c2718a01435c3f07020dc74247f67e8f961e0efb06f4dc5f190807c7a569a0001f1b2bc9a01803f796cf4adf38fe0b87f421dad57f
SSDEEP

1536:qmbhXDmjr5MOtEvwDpj5cDtKkQZQRKb61vSbgtsie:BbdDmjr+OtEvwDpjM8L

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe

Executes dropped EXE 1 IoCs

pid	Process
1844	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1844	1904	38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe	82
PID 1904 wrote to memory of 1844	1904	38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe	82
PID 1904 wrote to memory of 1844	1904	38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe	82

C:\Users\Admin\AppData\Local\Temp\38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe
"C:\Users\Admin\AppData\Local\Temp\38defe48512a9d130414b801b70facb81d9903ce48b87533bf33030d9cd2117e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
63KB

MD5
029b0d0183418e294029871cdc3fe4a9

SHA1
fe4d8da94bb103dfe360e9df1cdbd33a2289a15b

SHA256
fbfed283785f8628a73ea3acda7e0181646469cf00c09436e3f7ae4cfbdd45d8

SHA512
a22f66eb80cb9f1486b2df7644be7f0cad0e2db564bf9fbf3398f2f053b40ab8cb08226f9c2c006167038137be396a1d075433f4625e2f3462c440bd83b037b7

Download Submit
memory/1844-20-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1844-26-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1844-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1904-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1904-1-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/1904-2-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/1904-9-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/1904-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download