Overview

overview

7

Static

static

3

17a2bd3720...b7.exe

windows7-x64

7

17a2bd3720...b7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2024, 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17a2bd37205afd412dd1137079d8dab7.exe

  • Size

    14KB

  • MD5

    17a2bd37205afd412dd1137079d8dab7

  • SHA1

    a8d1e3dfa12c531fcb22e97399b53d55f4fa0394

  • SHA256

    f50b0c9c8a17ee4cee8f4d4921ffd918ec861668b249ec50ff2d2cec3ee52c0e

  • SHA512

    a10c6ef797b224f7294f01d831e8ab8feb81868082118cee0ee612d33f5c880bc03013cb2af769b5c0a726a30b81d1c458070ca29c99c085e7bd708690bda3fb

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJSn:hDXWipuE+K3/SSHgxS

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17a2bd37205afd412dd1137079d8dab7.exe
    "C:\Users\Admin\AppData\Local\Temp\17a2bd37205afd412dd1137079d8dab7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\DEM597A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM597A.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Local\Temp\DEMB026.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB026.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Users\Admin\AppData\Local\Temp\DEM673.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM673.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Users\Admin\AppData\Local\Temp\DEM5C92.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM5C92.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3636
            • C:\Users\Admin\AppData\Local\Temp\DEMB2F0.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB2F0.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2864
              • C:\Users\Admin\AppData\Local\Temp\DEM96C.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM96C.exe"
                7⤵
                • Executes dropped EXE
                PID:312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM597A.exe
    Filesize

    14KB

    MD5

    05d504de3f3aca0e2aeb201324044c40

    SHA1

    02f9697a64f1e8819c103eb5118e32b7dbd437e4

    SHA256

    ee732693171b59a976b680293ace759c890b0305e242f52318a249fabb972470

    SHA512

    10c6341d6ca15dbb13b583b7dc116fdfe612413481832a06cfcbe9a32be7f030f82caec00a46ce1b119f3980f90a52ff72fc718f292794712f4ca78fd549f13f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM5C92.exe
    Filesize

    14KB

    MD5

    1c7d982331ce882c74bd542dc8d0339e

    SHA1

    a9b0d9c11cf3fbf5f09fce8897e4a30b653d8ede

    SHA256

    e0f6bbf76b313b561b90f2d10074cb903e51d84e881c0065eb4bae48624ae374

    SHA512

    f9e6dc534904ca129c61a3ccdd7a5b67cadf7dd47c85cedcd4e7ca3679cc84953dcb6c0c95b6eace032a8d8f6142131e14a48f3f1198f2189fad8933f7d4ea3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM673.exe
    Filesize

    14KB

    MD5

    63e6ca28ae87d2f5b8e0aac65614b6f1

    SHA1

    158f0e0f3b03f6f76023902a5768185427cf480e

    SHA256

    bd1288e18afae566fb8abe6bdc9c30f5175a359804f33659b8e280ad6e9ce592

    SHA512

    a32e82bf9e631d83e596eb23ca6796908d466a507f15be913d4d4c2e61bf7ce81dfc0095cd28d6e58f2ff9a71049001cb0ad3607e7af4c3c0887aa937da2a829

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM96C.exe
    Filesize

    14KB

    MD5

    a7402b410dcf5b0f34546f0a9988035b

    SHA1

    c997061287b145defbdbbe517227d2063cb28c8f

    SHA256

    920566a59193dca96dc7ac8870902203647dd8522a9960aded18c3197eabee78

    SHA512

    85ffe30586401e32cae1e5308adffb4e20a422b6d8ec8e28eddf14428d1c9be6a5b2d068d552dc36262a21b0fcc55e066f6cd031ee9d96fd11f986d3eecc0333

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB026.exe
    Filesize

    14KB

    MD5

    c7ae6920c53a0faee45b0a1933b98fcf

    SHA1

    2c29a4ac3240cd739ae389eeef71aab2ffeb38d4

    SHA256

    6cea9f0d358170604465b61db51858ef3aabb8ad1f06da0e772e3393c106808f

    SHA512

    b083f6ef0705246bb7ee9f3a598dfd547ecd9dbbcfd537a42fc4315db78cec2b0a4469777f70531bd4ad086796bad2edbb8a9c6fb7bd39ca893f2f29f900d6e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB2F0.exe
    Filesize

    14KB

    MD5

    cc2c1e63442087601d19834b6d8e85c1

    SHA1

    978a0e013a3f63a6a9db29922f3bd96f95e820d7

    SHA256

    44edc6e2e47d0540c9ac1f037e87deab637f7dc71dd11f60744fd64f76851fd9

    SHA512

    041abc2d325f6b3f412b8b5d05792c375d7a0aa89a2d7066544f2cf298554bc3664f2c98dbaa9234420ee396e428c0c699295a1ff6db2b973db1f942b52e47c0

    Download Submit