c95c0a1bb19e0710cadf18a1a5919a4ca094bed708f8f5078e462417255483db

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f134fe8ba9f40562d5d95d31bd02c6.exe
Size

33KB
MD5

39f134fe8ba9f40562d5d95d31bd02c6
SHA1

f6b15e8b9c6e6b79694efc427bfcc0806802d3dd
SHA256

c95c0a1bb19e0710cadf18a1a5919a4ca094bed708f8f5078e462417255483db
SHA512

5a275e702f27b9e6b111ef8d6674acb0c31452a9c9cacd38c19a95ccfbd9bfad5dd6c4dca18fb89806d2de25a71335ba96aa7c01867f73d446db373589ab65fa
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7TI8:bAvJCYOOvbRPDEgXRcJx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	39f134fe8ba9f40562d5d95d31bd02c6.exe

Executes dropped EXE 1 IoCs

pid	Process
3356	demka.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 3356	3104	39f134fe8ba9f40562d5d95d31bd02c6.exe	82
PID 3104 wrote to memory of 3356	3104	39f134fe8ba9f40562d5d95d31bd02c6.exe	82
PID 3104 wrote to memory of 3356	3104	39f134fe8ba9f40562d5d95d31bd02c6.exe	82

C:\Users\Admin\AppData\Local\Temp\39f134fe8ba9f40562d5d95d31bd02c6.exe
"C:\Users\Admin\AppData\Local\Temp\39f134fe8ba9f40562d5d95d31bd02c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
33KB

MD5
c7fb12bf5adceaac08090e1bfaf8de0d

SHA1
6c45f3f6bb52e1f7c12fcdfe78fcab651ea1c105

SHA256
7c676ed3c7b34922adb93fdc437a2aeb97976b01c652d57511945f1ef535791d

SHA512
b8733eed360e7bbad81f1c2d0ec179fab76e8e93dc68f10d8ab3686218285757f7e9394350cb8b690d4efe8c491783dbfb4f943c3c822f56d5945e84acf43a2d

Download Submit
memory/3104-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/3104-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3104-8-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/3356-25-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download