73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc

Analysis

max time kernel
132s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe
Size

43KB
MD5

bd0f98cedf8523a13f564ef30f38e1fa
SHA1

11eead085df1a2271028552d2ea9cd79b8806243
SHA256

73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc
SHA512

411d05cbc1a7d1c493cf203631bc2b64c10861a5d38b3c6545265c9f51ba2c7d3a4a6e330bae9afb4bb65b2944031112a3f3fb66b536b256021d42a210b74357
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HK/wSvuQTCyD/957sm:X6QFElP6n+gJQMOtEvwDpjBsYK/fbDFp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2092	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2092	2124	73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe	30
PID 2124 wrote to memory of 2092	2124	73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe	30
PID 2124 wrote to memory of 2092	2124	73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe	30
PID 2124 wrote to memory of 2092	2124	73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe	30

C:\Users\Admin\AppData\Local\Temp\73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe
"C:\Users\Admin\AppData\Local\Temp\73d9ef62fbc6c13ddee9c88018cb482b60c6f5849e22e28cede11f9575b48bfc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
6f2368b7d74b57dbea6a735e6cd0f546

SHA1
9e169f99af1c73b1c38ec7e5a2af3af76c999700

SHA256
10a20331f92b950b78589c9120944b7f4d7b8a40979a152ee98ff68fc998e798

SHA512
55d7103df20c632f3d445a364063c0e29610bfec301245378c2cc11b1ec124215f7d3ff4a484129432984bdde68f78c694ce0b4ee4b4afa6b2eec5a7ca1ba470

Download Submit
memory/2092-15-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2092-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2124-0-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2124-1-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2124-8-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download