3b781f33924952a39b0400f014eb1ff1f8cdf15375ab1df22bdd09daceda2942

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df26a9d4c0b86c4331515c353eb2aba0.exe
Size

38KB
MD5

df26a9d4c0b86c4331515c353eb2aba0
SHA1

46dd6ef1dc7a44e6d371b889a21a5c9af898e975
SHA256

3b781f33924952a39b0400f014eb1ff1f8cdf15375ab1df22bdd09daceda2942
SHA512

ce36ad6d66f078469dfef003c4ab5a798d667a026431099ab73f8f4640c2d5d694903c7b81c7f9a1087522df4c33b1157b811aa7848bc201689f7118dba6a60d
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzoiM8Nekdvjl9V50i3Nb/mVi5:bAvJCYOOvbRPDEgXrNekd7l94i3p/hx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	demka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	df26a9d4c0b86c4331515c353eb2aba0.exe

Executes dropped EXE 1 IoCs

pid	Process
4260	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4260	4112	df26a9d4c0b86c4331515c353eb2aba0.exe	89
PID 4112 wrote to memory of 4260	4112	df26a9d4c0b86c4331515c353eb2aba0.exe	89
PID 4112 wrote to memory of 4260	4112	df26a9d4c0b86c4331515c353eb2aba0.exe	89

C:\Users\Admin\AppData\Local\Temp\df26a9d4c0b86c4331515c353eb2aba0.exe
"C:\Users\Admin\AppData\Local\Temp\df26a9d4c0b86c4331515c353eb2aba0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
38KB

MD5
f3dffa1abf12222cfb2b0cc0149354eb

SHA1
0ecadd74759a116c41dae9a3e7866f5be90cb42b

SHA256
cbe21db327889b88b339473e36d8abe00d800e40aec3994d24fa96a7acb027f8

SHA512
60b465967a9b28cb93394c17c1b7324377771213da6736a15bd48e9b4c3c193726479e6981f1433c42038c7dc418953761567562389d2f9d93c5a4f553c4d7fd

Download Submit
memory/4112-0-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4112-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4112-1-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4260-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download