Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 01:21
Behavioral task
behavioral1
Sample
09c216a38af773a905fb2cf0fb48cab2.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
09c216a38af773a905fb2cf0fb48cab2.exe
Resource
win10v2004-20240226-en
General
-
Target
09c216a38af773a905fb2cf0fb48cab2.exe
-
Size
64KB
-
MD5
09c216a38af773a905fb2cf0fb48cab2
-
SHA1
3839cb62386adf48594a6cf44523d1464770e585
-
SHA256
619cf17b71f9e07abc0a7304e2e9895e94a8892a85e2b8268c83086397fbc550
-
SHA512
43b60d9ddecbfed2cfd3ae95f822f4efc28d3d83c004de39c014136e96994746d0147a432d84bd5d822588f5f54f4a0895a8fd60bc5738e39aae9b1400cabe99
-
SSDEEP
1536:P8mnK6QFElP6n+gymddpMOtEvwDpjYMWQfL:1nK6a+qdOOtEvwDpjt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 09c216a38af773a905fb2cf0fb48cab2.exe -
Executes dropped EXE 1 IoCs
pid Process 1308 asih.exe -
resource yara_rule behavioral2/memory/4964-0-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/files/0x000b000000023242-13.dat upx behavioral2/memory/4964-17-0x0000000000500000-0x000000000050F311-memory.dmp upx behavioral2/memory/1308-26-0x0000000000500000-0x000000000050F311-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4964 wrote to memory of 1308 4964 09c216a38af773a905fb2cf0fb48cab2.exe 89 PID 4964 wrote to memory of 1308 4964 09c216a38af773a905fb2cf0fb48cab2.exe 89 PID 4964 wrote to memory of 1308 4964 09c216a38af773a905fb2cf0fb48cab2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c216a38af773a905fb2cf0fb48cab2.exe"C:\Users\Admin\AppData\Local\Temp\09c216a38af773a905fb2cf0fb48cab2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:5048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5c5533992e5542872f76748d610d871fc
SHA16d4f5d757a26e38b202ccebc6dbbe8d8006d8bf5
SHA256ca31f4cbfcd3789555ef87e391e6442a1825338cd2e55acd2438a35335f1a5f5
SHA512e6b4577fe039d038d41f5c7e5ee6b89eceb553b08401e880cbec2ea149b7c7473bd81df4a6ee5f590ff9b0e3a3696fcf9ba1784d14e6becb144919d4fb7884bc