Overview

overview

7

Static

static

3

0a6590df2a...28.exe

windows7-x64

7

0a6590df2a...28.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a6590df2a6d46c2423bc155437e64a1e80d2dc1a450e95ce14d41198194a928.exe

  • Size

    20KB

  • MD5

    19f0a7095c3dcfc5d776a7518113d2eb

  • SHA1

    e49d51110cbec2d2fe254de87488345643bff4aa

  • SHA256

    0a6590df2a6d46c2423bc155437e64a1e80d2dc1a450e95ce14d41198194a928

  • SHA512

    e0e937e1ba0e211a3f4f1be5f2266646f790ed513624cf3476a684c78cc0d6764bed564de3a9bc981fc9074c28cc1d55f9cc21a8f0e255137b9e58709e980828

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L41qv:hDXWipuE+K3/SSHgxmHZ1+

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a6590df2a6d46c2423bc155437e64a1e80d2dc1a450e95ce14d41198194a928.exe
    "C:\Users\Admin\AppData\Local\Temp\0a6590df2a6d46c2423bc155437e64a1e80d2dc1a450e95ce14d41198194a928.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Users\Admin\AppData\Local\Temp\DEMB517.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB517.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\DEMC01.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMC01.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\AppData\Local\Temp\DEM6220.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM6220.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4356
          • C:\Users\Admin\AppData\Local\Temp\DEMB7F1.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB7F1.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Users\Admin\AppData\Local\Temp\DEME3F.exe
              "C:\Users\Admin\AppData\Local\Temp\DEME3F.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Users\Admin\AppData\Local\Temp\DEM648C.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM648C.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM6220.exe
    Filesize

    20KB

    MD5

    2bc9067af5553ddeecab4f4affcccec4

    SHA1

    eafaa60df8be374504c37ce9023ce9d4bfb181cd

    SHA256

    7d7334e135d0a1332a02fad0c5cd129064bac7bcf795aef2e404488220d9d373

    SHA512

    61e9907ae239772a69ec843e7a72a975ed84b74ece3a27438ceeac7c709a79ade0ea415bc9ea7c2f996b69aa66786d83e84d52aa3639ca94644d362ece532ac3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM648C.exe
    Filesize

    20KB

    MD5

    216d3df358878fb2b739d4660d452331

    SHA1

    d1e0228c917cbeba4616be7e3e51b8765f41f163

    SHA256

    4c45d74ef5aadf120245ee2da5f3607f57bf9b9669196d3f4ad53627c11a254f

    SHA512

    5d9ebdd6bac737a8e28b97668360fdc21c7566f15ccdaccf883e4ec864d6d352a84ce13ab7d2bdf5a8ee5b73ac83f745202dd398be3c8048554d8ef4d0f84c53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB517.exe
    Filesize

    20KB

    MD5

    b7faaedcdf7c82d701d743febfe1a91f

    SHA1

    6bd9b1c1a47b9c08433d3a316d90ed5973494dc8

    SHA256

    49ecb517aa6f7bcbef5f068f5ab0d9dcba017a20637913aa1e59a98b47f84236

    SHA512

    5a94a950f3163dc5a90f8de231bc6766cbfb23e9dcc914c0fc9ad0a27968cd61185b42fbdf3df1f10bef946abff80ace070ff36b3009f1df2922bcee3ef5e28c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB7F1.exe
    Filesize

    20KB

    MD5

    441aab162a35205e3866312c26585872

    SHA1

    edd11bc99531b97d3c715197713d26dce356ad84

    SHA256

    7caeb5dc000eef5a9dd86ffa1e5dca444e054445a441a54ba0b29820acf7ffd9

    SHA512

    3ca1b8a693904a8a94871c06a4cefee4d8952cc17aa6a910c93919ed4b092f1bfb0f6a6490e778b80ed8ffccd2c867f40207be9393587580de9e2ea9e57b95cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC01.exe
    Filesize

    20KB

    MD5

    32a390517c966418f5f252c44950a188

    SHA1

    00ed4b7260214956b858365aebf331dbbf6f42ec

    SHA256

    00548a1e14726a66f7736c2d40ef07db60a99f418a3646d69812676aff346c01

    SHA512

    ebb3874390896f12fa1c4a2a94c1d27d70dab4011e1e3e9f97f72e034e4182fe3d6bf19aacdc9b5d10797789eb2b83a1c8ceeb6c63cb50311c88a0b8051d8432

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEME3F.exe
    Filesize

    20KB

    MD5

    263d69d7f1409348f4531a0704a5e641

    SHA1

    7ce478aa43deacdbffbb850a680b2c999e6a6698

    SHA256

    dfdb1d7b6d1b162fb22cfe2bd4780674a087a31304b88cd5c2503c4e7dc39935

    SHA512

    dd190369b184d8cee2dcf7e8d614b82fa1ac511cc7d879140919d83ec0a581b06f456a8c6f85c4d522e6a31fa936e2c78b406f3bc4ba4aace7ac885bbc3041c1

    Download Submit