Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:02
Behavioral task
behavioral1
Sample
4ea367e656c4ba8bafb5dc9d368f3ce4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4ea367e656c4ba8bafb5dc9d368f3ce4.exe
Resource
win10v2004-20240226-en
General
-
Target
4ea367e656c4ba8bafb5dc9d368f3ce4.exe
-
Size
40KB
-
MD5
4ea367e656c4ba8bafb5dc9d368f3ce4
-
SHA1
ecfbc925e391eec18d68915382fb1d5b0feac387
-
SHA256
ef756a8ddd2c014ee73eb30f5a9ccbd1d70111c785e065d05d0f1750e148fd50
-
SHA512
e1375c82af5844fcace3ba5c847f478f20b60cbb9ad705137b6a784681708e4586e6f432071b33ec67eecfb6f6f2d37489f8f7c554721b8bca2eff5d4441daae
-
SSDEEP
768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITY//:qDdFJy3QMOtEvwDpjjWMl7T2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 4ea367e656c4ba8bafb5dc9d368f3ce4.exe -
Executes dropped EXE 1 IoCs
pid Process 4456 asih.exe -
resource yara_rule behavioral2/memory/3456-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x0008000000023246-13.dat upx behavioral2/memory/3456-14-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/4456-18-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/4456-28-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3456 wrote to memory of 4456 3456 4ea367e656c4ba8bafb5dc9d368f3ce4.exe 91 PID 3456 wrote to memory of 4456 3456 4ea367e656c4ba8bafb5dc9d368f3ce4.exe 91 PID 3456 wrote to memory of 4456 3456 4ea367e656c4ba8bafb5dc9d368f3ce4.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ea367e656c4ba8bafb5dc9d368f3ce4.exe"C:\Users\Admin\AppData\Local\Temp\4ea367e656c4ba8bafb5dc9d368f3ce4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD51359f2923906861cf2deeb280afe4130
SHA1f85564cee0165fe4dadf9dff5ed578247c5b6f80
SHA2565627f10e8ff1ccc74611ade4796c66e23d70b030926735133c52071171c6fede
SHA5120ee684a491a614397697ad2e60f5895a7c5e3a05f119647d4d984150a26874762bf3231b91f8b073587eb1fc8c5f5cc6cb3a3adea68b32ad44774d26622d3a85