4539450a1c36d97e020a37ee88c7bbf79b9c3a80e8836d70ddb6fae046cce5e3

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb2d35fd358413e22ca973db4debc883.exe
Size

61KB
MD5

eb2d35fd358413e22ca973db4debc883
SHA1

84b3bbc848447ab5ded987789fa3ac6ca884c9aa
SHA256

4539450a1c36d97e020a37ee88c7bbf79b9c3a80e8836d70ddb6fae046cce5e3
SHA512

ac1f3fecc42a2635d8cf515921027aa805d4b5d4ff611fa383074dff845a765da24921ed8cc76869132133976fa17987fe6ab5cc44e7a8b35e53709623216035
SSDEEP

768:H6LsoEEeegiZPvEhHSG+gk5NQXtckstOOtEvwDpjhBaD3TUogs/VXpAP6pU0:H6QFElP6n+gou9cvMOtEvwDpjCpVXp

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	eb2d35fd358413e22ca973db4debc883.exe

Executes dropped EXE 1 IoCs

pid	Process
1812	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3212-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0007000000023276-13.dat	upx
behavioral2/memory/3212-18-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1812-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1812-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 1812	3212	eb2d35fd358413e22ca973db4debc883.exe	82
PID 3212 wrote to memory of 1812	3212	eb2d35fd358413e22ca973db4debc883.exe	82
PID 3212 wrote to memory of 1812	3212	eb2d35fd358413e22ca973db4debc883.exe	82

C:\Users\Admin\AppData\Local\Temp\eb2d35fd358413e22ca973db4debc883.exe
"C:\Users\Admin\AppData\Local\Temp\eb2d35fd358413e22ca973db4debc883.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
61KB

MD5
aa21aad3bc789a2ae8e9e9372133ddfc

SHA1
e0de8edf078ef27ace7378ee8a2af543037ab204

SHA256
f1a211762fa1d016c9519ed1b2a0677577dc1767f1e46de1b684492d7fe4b8f4

SHA512
34be13c3692d380044b4ecf9cdf2157290e2036aa0b03971b2b8525c8fbd83e80b18a8acbe0f8e0920ecba2d82996af9a44087a7de312132eff2a50ed34e24ff

Download Submit
memory/1812-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1812-21-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/1812-20-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/1812-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3212-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3212-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/3212-2-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/3212-3-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/3212-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download