54a6ee051f70e38e6bd16e6a57f32e02420ef54b44441d1521fcae1c039d0bd2

Analysis

max time kernel
110s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0522a0e317136172bb29f91644160280N.exe
Size

37KB
MD5

0522a0e317136172bb29f91644160280
SHA1

2303f4e978acbf90f6748bde6254c1185dab7174
SHA256

54a6ee051f70e38e6bd16e6a57f32e02420ef54b44441d1521fcae1c039d0bd2
SHA512

4619d50ef2b020ccbd0f12a3d1ddef2ae020c879aa8ca19e0e352202b1fda44213811508f5ffaed160b9610ee929468d9661bc4f415c13f169f147486c75d409
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITJpE:qDdFJy3QMOtEvwDpjjWMl7T0

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
280	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
548	0522a0e317136172bb29f91644160280N.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/548-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000c0000000122e0-11.dat	upx
behavioral1/memory/548-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/280-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0522a0e317136172bb29f91644160280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 280	548	0522a0e317136172bb29f91644160280N.exe	31
PID 548 wrote to memory of 280	548	0522a0e317136172bb29f91644160280N.exe	31
PID 548 wrote to memory of 280	548	0522a0e317136172bb29f91644160280N.exe	31
PID 548 wrote to memory of 280	548	0522a0e317136172bb29f91644160280N.exe	31

C:\Users\Admin\AppData\Local\Temp\0522a0e317136172bb29f91644160280N.exe
"C:\Users\Admin\AppData\Local\Temp\0522a0e317136172bb29f91644160280N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
37KB

MD5
f8931ffbf65f3d3332d664b4690fd0b5

SHA1
41df0bc999bf7d67c3c3ab49a60b22d41f05135c

SHA256
a72c702cc94abe87e1257aa25b80b6e8995b811795e58cd1cc85fce20d779ddc

SHA512
e30b04ed9c23ca9d865fdfee835d06648554a66dfe206caa91c8048f694a441c8f3ff5b1ea2942a4b2d608160141bc6bcacde86f0ff1922fbd7afcbfbe68ffa0

Download Submit
memory/280-18-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/280-25-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/280-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/548-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/548-3-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/548-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/548-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/548-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download