301e7653a37242930010d9ae0abcce3643c6b2912dad2842b6dc9d6a229fa844

Analysis

max time kernel
64s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19ae7ad249472bexeexeexeex.exe
Size

31KB
MD5

19ae7ad249472b033c1e62e257e8b590
SHA1

3a173f7375f1d17c0002270fd0664f16221aab33
SHA256

301e7653a37242930010d9ae0abcce3643c6b2912dad2842b6dc9d6a229fa844
SHA512

aae478212e630954b4535c95005a83610671081267bc5008086b58b3af15caf1e18b9774b29356cc745b335c2378da9d11a33fc5f64f3b066f437aa154ea6c20
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjuoa:bAvJCYOOvbRPDEgXVFzpCoa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	19ae7ad249472bexeexeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	demka.exe

Executes dropped EXE 1 IoCs

pid	Process
4660	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4660	4220	19ae7ad249472bexeexeexeex.exe	79
PID 4220 wrote to memory of 4660	4220	19ae7ad249472bexeexeexeex.exe	79
PID 4220 wrote to memory of 4660	4220	19ae7ad249472bexeexeexeex.exe	79

C:\Users\Admin\AppData\Local\Temp\19ae7ad249472bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\19ae7ad249472bexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
92f498f8bc524cc8200413fc0786485b

SHA1
dd2935bd8174b06a7016a312b8c1fb4b7b1f0cec

SHA256
da47330ae710fa285187e234a1faa5a7e86d9a26087400e6138c138d4f915a00

SHA512
0e8c110ca1aae18266b03bc840a599e80f9bb133935226f300494eabd6a7c971ff51f1ccb741c25c62710411b37f786e1c2e643d5bfc588f51c8c6cb76a96f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
92f498f8bc524cc8200413fc0786485b

SHA1
dd2935bd8174b06a7016a312b8c1fb4b7b1f0cec

SHA256
da47330ae710fa285187e234a1faa5a7e86d9a26087400e6138c138d4f915a00

SHA512
0e8c110ca1aae18266b03bc840a599e80f9bb133935226f300494eabd6a7c971ff51f1ccb741c25c62710411b37f786e1c2e643d5bfc588f51c8c6cb76a96f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
92f498f8bc524cc8200413fc0786485b

SHA1
dd2935bd8174b06a7016a312b8c1fb4b7b1f0cec

SHA256
da47330ae710fa285187e234a1faa5a7e86d9a26087400e6138c138d4f915a00

SHA512
0e8c110ca1aae18266b03bc840a599e80f9bb133935226f300494eabd6a7c971ff51f1ccb741c25c62710411b37f786e1c2e643d5bfc588f51c8c6cb76a96f08

Download Submit
memory/4220-133-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/4220-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download