af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe
Size

5KB
MD5

f53cf2cb015fdd0be9a037ec949bf93a
SHA1

26aacff9525ccc50216a8d71a45dfbee37f6b2a5
SHA256

af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430
SHA512

bc044db33ce7934413857a4d7d6f23db0c25e244e40dfd45dd263d402c898076e24d966e37aab88404c3773b947b282a58c03903d4a85127508434a6b0cf48ef
SSDEEP

48:qvECf6Am8RB/G9B8Lw1qNnZ1rsHB/VnC/RAxUl2CS70ALNx:nCTxLw8FNnZuHnnwR2Ul2ClAhx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe

Deletes itself 1 IoCs

Processes:

lasma.exe

pid process

4288 lasma.exe
Executes dropped EXE 1 IoCs

Processes:

lasma.exe

pid process

4288 lasma.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4288	lasma.exe

pid	process
4288	lasma.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe

description	pid	process	target process
PID 3032 wrote to memory of 4288	3032	af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe	lasma.exe
PID 3032 wrote to memory of 4288	3032	af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe	lasma.exe
PID 3032 wrote to memory of 4288	3032	af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe	lasma.exe

C:\Users\Admin\AppData\Local\Temp\af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe
"C:\Users\Admin\AppData\Local\Temp\af641ea97e20f5c85b72c8dea71a831f004e0cad6a976cc9833d444e510c0430.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\lasma.exe
"C:\Users\Admin\AppData\Local\Temp\lasma.exe"
2⤵
- Deletes itself
- Executes dropped EXE
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lasma.exe

Filesize
5KB

MD5
a4ab11f49e5b9ac659dfbe2ca820689b

SHA1
6c8dc9d580dcc35019dd2febee78ae8a4c8a370e

SHA256
1d98b96fc30087acad1f765bca03ea69eaaa9d436cc9f816088553e8aca16a63

SHA512
9e4d882a2895e1ebcca6d953872cd5939307a41bfd99508ac71fe2eae8e78d2359fe59b09cccd31ff31e10e09a8539c49ea6f6d1e6b75fe56f56a7949b3bbaf3

Download Submit