4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 10:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe
Size

53KB
MD5

0f2b0a28ed2e3fca8aeb6f590041b745
SHA1

18555bdb434e04c0db277a2ff7105742d6338441
SHA256

4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8
SHA512

0ec7e6e93cf8ec723f1729a1a4ecfde91b7f4f57e698606c8e1780cdd9643d820dc68d5dc8a3446ae78272565b0f4d3a83d7bb55f2ae71fa3ddf2f406677b1cd
SSDEEP

768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YY1J+OTOkgi:z6QFElP6n+gKmddpMOtEvwDpj31ikgi

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d000000012248-11.dat	upx
behavioral1/memory/1720-13-0x00000000006D0000-0x00000000006E0000-memory.dmp	upx
behavioral1/memory/1720-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2908-25-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2908	1720	4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe	28
PID 1720 wrote to memory of 2908	1720	4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe	28
PID 1720 wrote to memory of 2908	1720	4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe	28
PID 1720 wrote to memory of 2908	1720	4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe	28

C:\Users\Admin\AppData\Local\Temp\4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe
"C:\Users\Admin\AppData\Local\Temp\4a5cb0c6473f2aa2e3c313b182787b41c8a393b8b7f5155e21d8048f7c9ab3a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
53KB

MD5
b1490d3d451dd566c29f380fbabaebad

SHA1
a6db0053a048b5337ef919a02b510b3153da0b9f

SHA256
ec37b60b76ae7c604e1961b0d21d1ff1aef96928ed893a98ea6b4013f3a8011c

SHA512
9e0b1c8d04220643e25d2e8e4b8f4a264ebfbd3321253d60426eee61aa6386beda9055ad2f7c2ecba8e239a6c9597c272424ccbdd013bf0d60ac62efee90c950

Download Submit
memory/1720-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1720-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1720-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1720-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1720-13-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/1720-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2908-25-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download