f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe
Size

5KB
MD5

be5a452fec456a100fd4fa2f84ffbf84
SHA1

d4fc8508db3ea0b0a545fd26bdad65e7c3f2af8d
SHA256

f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c
SHA512

f61b863c4285d592b3da67715011b4a37503f313745867f6f099fda828eedb6d41a0dd2db529152d83ae6010294cf0514d98461da399805009efb1a27833adb9
SSDEEP

48:qvECf6Am8RB/G9dBHNnZ1rsHB/VnC/RAxUl2CS70ALNx:nCTxLEHNnZuHnnwR2Ul2ClAhx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe

Deletes itself 1 IoCs

pid	Process
2884	lasma.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	lasma.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2884	4928	f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe	83
PID 4928 wrote to memory of 2884	4928	f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe	83
PID 4928 wrote to memory of 2884	4928	f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe	83

C:\Users\Admin\AppData\Local\Temp\f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe
"C:\Users\Admin\AppData\Local\Temp\f96d0af77a247e3a786519e6b45387038609733f285a98507c8b3aa72a1c971c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\lasma.exe
  "C:\Users\Admin\AppData\Local\Temp\lasma.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lasma.exe

Filesize
5KB

MD5
eeadb29d96c1be9b073437ce306f3fc9

SHA1
f29d40f5abcde36cc859d43bc567dd739d0f35ee

SHA256
a000e8929e6bc5408c20766515b11d685a3f39764fbcc6fdea681a807f6e51aa

SHA512
e07c09f6ddba874c0f342dd7a898fb4c4651abbb4c8f3398074f621189af80ac8792584d2b88c06f1488ad18fddd5de08ccbb2e03cc2f7e53a274e37e8aa75ec

Download Submit
memory/4928-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download