a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe
Size

1010KB
MD5

eb217b0ac055b81266b477fe13e1676f
SHA1

5347d74cd3021717c3d67105648f325613df0782
SHA256

7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2
SHA512

6f38c118961844c7afa13bfe81a6d40de90bee23f5933a6949495db66a196372b224f676a6ecfca135fb9e6666e2b096e27b1be33adbf95cbed2c89361af8c38
SSDEEP

24576:OA/GdQEfRiHN7iaqCavgYCkS/Tfc8DvGyHa/d:OqEp6tKyX/TTHe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
26	4800	DAsap.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	DAsap.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DownloadAsap.lnk	DAsap.exe

Executes dropped EXE 2 IoCs

pid	Process
5104	DAsap.exe
4800	DAsap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DAsap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DAsap.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe
4800	DAsap.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 5104	5092	7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe	89
PID 5092 wrote to memory of 5104	5092	7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe	89
PID 5092 wrote to memory of 5104	5092	7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe	89
PID 5104 wrote to memory of 4800	5104	DAsap.exe	92
PID 5104 wrote to memory of 4800	5104	DAsap.exe	92
PID 5104 wrote to memory of 4800	5104	DAsap.exe	92

C:\Users\Admin\AppData\Local\Temp\7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe
"C:\Users\Admin\AppData\Local\Temp\7dad12bd22c31f2618cc56cbd738f1cce5afaea128fcfe1deb18f4ac7366c9d2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092
- C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SFX20250409082107629\DAsap.exe
  "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SFX20250409082107629\DAsap.exe" -entry
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Centralx\DAsap\DAsap.exe
    "C:\Users\Admin\AppData\Local\Centralx\DAsap\DAsap.exe"
    3⤵
    - Downloads MZ/PE file
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4800

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SFX20250409082107629\DAsap.exe

Filesize
1.2MB

MD5
c4e2cff7a8f6fcb920671c4741f86361

SHA1
38626d0d1b7e93460bbf5af11263f2e4e6de2f40

SHA256
42efc2a700c8efe9754b1746532a8f92c0f017aec5efb867ec4f10b291f1dd23

SHA512
21afe116e2292031b17fecdf7d2cd597c34d585bbe664c5554aee9b246f15c06c9f45822f1548a5b5089e7938109a040b0d4b7da5c6df6f2008fcd5a57e113db

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SFX20250409082107629\DAsap.lng

Filesize
2KB

MD5
b4c28f8d7afb680328d007be1214eaef

SHA1
963e66857fab9f2a662cd09db9812119919e0218

SHA256
38b8b0898ac19c5843cca47084902f06f209a0531e9eb80b1aac819e34055f01

SHA512
8d9438664939eba1dbba33a97f3ff9a9169d618f566f1c7b8572f0a7c6a831d3979e4bb0f407d2c41adfd2841655e17d9c0d54facd30cac83218dca90a089468

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SFX20250409082107629\DAsapEntry.ini

Filesize
102KB

MD5
272af2fb09e12d721f28b19f0a2bab17

SHA1
58da01ea4f739ab0aa30306e0a6f47ede8a3a54d

SHA256
35621e28c2cd5cc8e335e0ad3e7a4be98c49b58513a6a0ecbda6f618e7d6acf4

SHA512
90cbaa963d0c5d24f8847415d5aeb832131228ddcaf3759d06e9ec95acd54cb17cf496f3b4f051af933fc54e28cab0dcc7a622d082f3f6aa43938800041f0e97

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\DAsap.ini

Filesize
83KB

MD5
1b7c0de30f0bb8f4ec7889e4bf9a52a5

SHA1
e8f637f73a450bb1e3e92a066ee35271378f6ea2

SHA256
800e643b186d585469170bd33e76f2015923018bf9f0820e5d622bc7335b4101

SHA512
8266fa6229a80819eb830d1b17738c1c52f774f2e5e72471cc720cfdfde7a1ac49e4d4dabefd55485d29e6e50326fe017188b73376105af6604156f9c87ceb15

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
7efac2ff9807ca59d3b41825ee89c52a

SHA1
c746da2b7d1b690d9866fc8a8fb27e29de7b25a0

SHA256
3e39a0fc735517f8692fd30ba8ce4cbe0379fddf05bdd49ff2201f348732896d

SHA512
99823035045eaa90855d60cbec450fd97b1cb54e6de01ccdb8ac9f7d2123a8681ff700f69dbaf509b559cca1fecfb1926aa3f33d75b29a2919e9f87fb0c77751

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
f72507e530019cdcd3084b5142dce140

SHA1
6e6fcf12f0e854fe09d4b0f5439f564e0f5b4051

SHA256
4a84310128b2fa239b49e960b414fa994f1e3119b5ef578d09d5bd0e8d727e52

SHA512
0af8ac6f9f306f3ab45bcb6da09ed4d79e942c0be77bc1b56f39482c3168ab801c585951f5d90b8c9e285101693e54ff5016f6e9d4069390992b1a1d6b8c0ea4

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
de7bd05c13544e3dddc0f672e1b9f605

SHA1
480b2efe62503301f2e35ffee025e6a286142356

SHA256
8ace0af1006dabd549577d703f184945832a3102da83b266af76361cd611520e

SHA512
42b6f3ebc6cd4c5a5ffd8a13561d198149c7ca39ac8ce2be079231e124c08a01b12145c3ff5e144361646d95071f2a0116d6cba6cd83b0d1704ac9c0e94f474d

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
44cdb393fc01f7c9e4fe2d9313a79903

SHA1
81554d7551d31196b58dca2d8d842c35fa5974bc

SHA256
e75cc015dbcf78b7faf410ad564584d82f44e533058d04331125861961d2c3ea

SHA512
c6c5b6de3a309ae81092e908de339aea70b1f469a888f466e21bf71cb488b1dfcdbb5f60dc3cc190970a1b3a3d68f64374473fa9aa44bafba7aea87b1029f889

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
d537186bb5455c7b471797fe18b765bf

SHA1
b9d443213e22e61692df053edcebc3db1683a7ef

SHA256
7ee998236148c747c65ef5180411392ab3bfcb723587056b1c98ce75a8601ea1

SHA512
088e88fdeaf4ab7bf014eb58069cd9f1645c9628f28eef5c7f9fcb9422a54e61b2d587ac6d22b3941254d6064b02a8a1f42fa2f7ffb4fa1a20007039b28ca7bf

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
bbb87b1993601a9702db080ce1c37ad7

SHA1
3c1d3821d2a86da16301c3844582e37af8431cb8

SHA256
07d3c44d174e7e78ac6866f5e8dff318b571c3bed40c0e94c417525402ccd7fb

SHA512
dde7510d03bafaf9d907c93d84a837f651a3afc0a7337d39306720663f6cc420117dfbc2b905cfa0b4dd56b21f8ca97aa24c49ffd3211ed77c03fcc9c1e05aef

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
92dc0a28d2946d746c796500c9d0a936

SHA1
10a8c099b90527b8b3a126f193126b4d43648c8d

SHA256
0d6600762b93b63c901edb3de8fc0bb3cead28b0bd14034dc9a34a5b492cbaa0

SHA512
c86d3b0ccf369000f1f1e23ca9cf105d62088e2f97f1e0e3f1563443304ccf29fdc6a14eb85c10bbf92793cc8351694b42795a35f49bf4e8a5879a61e129d31b

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
c21b8269c8b6653e9c94527106370df2

SHA1
23cd63609bbc69eaef7d5becbc099bee65aa5349

SHA256
6eea71449c6a1a634ee6ed3cc9b92f1e2e7285bdce613bacdf521979fddae8ae

SHA512
cf6209720330c4e0f3016ec3bf8fad3c4e025be4d0fb47103799e787eedc7b0cb5aadf242397a4bf1f126a50d221b882b02ad4c37e291d9f6339ef9d28cf6048

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
41229014a9c2c2b55f2906c1cf2f43bf

SHA1
b80e94d3554f46b5560c1600e9be199eb26c46e6

SHA256
d62500353b078cedd9826f19a0ba74a013295de2769f435c50105bb1bc56456e

SHA512
a0fe391f9c25a68062a8e8976308e5441f3e3207539970dd92876a1556139257ae69d007502ba4168c55f32b56d74d5acd6c3bcf5f2e7242e5949e319a733b3f

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
8eee98a2d0ae4dce9dbf6bf555023c74

SHA1
388d0b14a90bab2d0802bc23a569b6e2c1652d57

SHA256
878f82861e49ae7b4adeb39b8f85c7ebdab145afb008abe313749d4e6fe6218b

SHA512
841e95f328cf790fd2d2a49e4a411deaf4b4a39a526032038a45e122970953c6cacf0e8f5e38ed24aba195824460643a7920f0a548eb428453462235d0377f50

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
c5f7677e02102fb7ab5d1ef42adad1bf

SHA1
1a2a93350027b0d6f44c47f867b48592aaec2418

SHA256
aef649526fb2f2e47554ee6c4a34d73921659c121ff86f4f3b453af76c7e7f79

SHA512
351020f6ca6c116a204bc23e00c98162ab8016edaffba7e120a6fb78cd9f57e1b267639931fb4a694dd81901b7f813efa9056b10c0669dbb9a49d77b1fa67e66

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
07f02ab74ba50639ddab995495227baa

SHA1
ea6f1d29eff03c35f554acb268d3ce355caf50c4

SHA256
065da02064b504f0555429455e2e3451af77c894c8bdb77fdd8d524d6781af19

SHA512
c0c8cfe2e4b6fc1b3849b6a1e50d2c36b4b22cae41e11bb6b3c2ee4968e9c4fb94d65051f27b04bfc9f453160bd4439c1a198933c37eab67c48bd97757a4e69c

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
5e23a23d5c2c0fa2468fc0b3c063aa9d

SHA1
1d932680b7112ddd82a968de57a29e109538a562

SHA256
a391cd9e3924eecac4ee32367e51613e726fd19c6114035c6e463534e183ba4e

SHA512
b9a463f41214da0afa22e9e7c2300df19238bb31fe3b906e122e24cecde991477c06f637217633a09ce2c9892c3cb6c2326aece4b9a1054c94c75d3257fddf24

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
07414896367e389176a876c75854558e

SHA1
d9734c84274750ac35c10404bc2752c5ad2744d9

SHA256
3890e08eb92667d3b8350e67a49ff6410f43c584a080d9c600c9be3a50ada4ec

SHA512
67b64df26cec642f282772dcabad07c3a0d537be8792b15c9b8086de95f4e0b4b620412a29a76171303fd27ae6e828e643e27408cfc92a4ca072f2463a24206c

Download Submit
C:\Users\Admin\AppData\Local\Centralx\DAsap\Temp\map116.tmp

Filesize
2KB

MD5
5924c5067340a0ba202d1073f7765783

SHA1
cf1e5f7b4943abc9ec36e8f9417fd7f2a3fe0e8c

SHA256
12f66a5002beac020b4b48d4d9cab3a83f865c06f1058060ee04d2d0e5c3e579

SHA512
a13fbe9f964a7b76a9c1aa0778609c71155a05db8119eebee30bee822c5b13fda90a6b4f40ea4427dde7b783847c12738c1c9977ce0a09710aa842259a2caa32

Download Submit
memory/4800-357-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-312-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-25-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4800-423-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-412-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-273-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4800-272-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-290-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-301-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-400-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-323-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-335-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-346-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-390-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-368-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/4800-379-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/5092-0-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/5092-26-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5104-24-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/5104-7-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download