2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17-10-2024 #20/Adobe Reader.exe
Size

40KB
MD5

417abe62696fb26013631a4ceccd4cf0
SHA1

2c2428dcf3b8a3385176322458914b466246a0ed
SHA256

abfe2cb54b9576e0ecf67ade15b1ced533e8abc1d930098e62c1e09dbe8f96f3
SHA512

d9e6b5b21273bd2fb206b8f23bb65c3cc529df91c1f7b40560e0afd685bfdef5f4d0af6c9765d2bb191a9b9d79391fe1592749e09896f901b83fd12ee2267007
SSDEEP

768:qTVbxjgQNQXtckstOOtEvwDpjAaD3TUogs/VXpAPWRiw:qTJu9cvMOtEvwDpjppVXzRx

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Adobe Reader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Adobe Reader.exe

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

4208 asih.exe

pid	process
4208	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/3904-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\asih.exe	upx
behavioral4/memory/3904-18-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral4/memory/4208-27-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Adobe Reader.exeasih.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe Reader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Adobe Reader.exe

description	pid	process	target process
PID 3904 wrote to memory of 4208	3904	Adobe Reader.exe	asih.exe
PID 3904 wrote to memory of 4208	3904	Adobe Reader.exe	asih.exe
PID 3904 wrote to memory of 4208	3904	Adobe Reader.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe
"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Adobe Reader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
40KB

MD5
70ad66092dc58c51a3594b425f6ede37

SHA1
ccd729a8a6464fa4ba504798b6d82388f6d4db33

SHA256
cc5a7a4be50871408a20e53b38462ecf7201fcd05c0d53a66570182fb0005f41

SHA512
105ed1cbcbcb6f6ba765c3505acf86627260b99df5f984ea2a6104d6ba8e93f6d477b01b3fc04dc6a4cc4245ad69a0a925720486ed1b3d7a0c5279133f719a3e

Download Submit
memory/3904-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3904-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/3904-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/3904-3-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/3904-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4208-20-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4208-26-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/4208-27-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download