Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 21:15
Behavioral task
behavioral1
Sample
4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
Resource
win7-20231129-en
General
-
Target
4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe
-
Size
370KB
-
MD5
b33392085cac871c0419f5dfe397dd88
-
SHA1
2d960bf4926db71fdb34d9af1e23916919e01738
-
SHA256
4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad
-
SHA512
611112722e3c71fb167bbfbc2ccbff808d0c3012d7d2710b9511d84274198c75b42fcba3397c655e73d776c7b8c025b446d24e3d741e7ffd6edcc3ecd399fc8c
-
SSDEEP
6144:CuJkl8DV12C28tLN2/FkCO0aHftvCGCBhDOHjTPmXHk62p8:CzGL2C2aZ2/F1XaveOHjT4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe -
Executes dropped EXE 1 IoCs
Processes:
anryo.exepid process 4020 anryo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exedescription pid process target process PID 3036 wrote to memory of 4020 3036 4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe anryo.exe PID 3036 wrote to memory of 4020 3036 4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe anryo.exe PID 3036 wrote to memory of 4020 3036 4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe anryo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe"C:\Users\Admin\AppData\Local\Temp\4b448d094eafabc03bbc4a2f7e162b2306542084c08e1eacb716b07bcd0935ad.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\anryo.exe"C:\Users\Admin\AppData\Local\Temp\anryo.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\anryo.exeFilesize
371KB
MD57eaee461c4d41acfbbf1ad500cbf6696
SHA12fa5e594872e3e781880123eb5bb7716a9071bd8
SHA256d0304215ca84c3e7c018971ddf5632e8c77e2c716586b7c8fb117666518c6808
SHA512537691553fcb21c920ae66a03164aef9f7ca6a8a7c897ae468d4ec64be079997a4c9ad6bd30f84544be6e6097f7a3857f64ec2be4608a19be82ff6832d4c580d
-
C:\Users\Admin\AppData\Local\Temp\golfinfo.iniFilesize
512B
MD5cceb732b170b4064673cd070a1f2ee3c
SHA1b09f195e20a1b00a71a6cb365628c3c8199707f7
SHA256de45bb4f38d370370df2a82f2cc69e6977376cd053eb8e7f4b012d1cb6e61429
SHA51240a00cfae29e32c55f9ae1f537e07d3c2332adc6f1198ff40f0b7bf53e36212f4c65462bfb626f4eb580f3032278f92eb02091bcfeb8e1e281649dac9f776204