Overview

overview

7

Static

static

3

2b9657c4eb...8b.exe

windows7-x64

7

2b9657c4eb...8b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b9657c4eb9ea8f2c2c089a722fc7bc1c4a3323ad032fdb5bf7e27708468d18b.exe

  • Size

    15KB

  • MD5

    617e04c28636691fa1a6b6a934d4447c

  • SHA1

    d229158b95a9025b1162f7e802876ec7bd6394bc

  • SHA256

    2b9657c4eb9ea8f2c2c089a722fc7bc1c4a3323ad032fdb5bf7e27708468d18b

  • SHA512

    29575ddb6d3b7c8908aca5a079916a36e8d4285cc9b8d486b3d707e0a645bd68a69e110ce3e2094f67b425ae05dc608c0fea6654626f157e90a05de856a2ea56

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPay8T:hDXWipuE+K3/SSHgxmkClT

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b9657c4eb9ea8f2c2c089a722fc7bc1c4a3323ad032fdb5bf7e27708468d18b.exe
    "C:\Users\Admin\AppData\Local\Temp\2b9657c4eb9ea8f2c2c089a722fc7bc1c4a3323ad032fdb5bf7e27708468d18b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Temp\DEMB074.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB074.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\DEM7AC.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM7AC.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Users\Admin\AppData\Local\Temp\DEM5E38.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5E38.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Users\Admin\AppData\Local\Temp\DEMB457.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB457.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3600
            • C:\Users\Admin\AppData\Local\Temp\DEMB12.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB12.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2428
              • C:\Users\Admin\AppData\Local\Temp\DEM6160.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM6160.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5E38.exe
    Filesize

    15KB

    MD5

    8ee2cb5ce78b6917cea1c2e507a3befa

    SHA1

    e3c00962176e9e274eac5567b742d58fb09a87e1

    SHA256

    d06d2277dd1d489b6c8ff7934be4077603ce7b86a0a3bc6c8717d197e40076ff

    SHA512

    9eb6ff2ee33f8e3e3b0c305fb825d197b49dd934f3e6f07f4afd6fcac4e106adef05b3a1d054702fd05f40acd06ab36460884eb39ad65c51d64a9b563cb0ecb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM6160.exe
    Filesize

    15KB

    MD5

    a34c5a6137a9190428ec15695c49d49e

    SHA1

    6e42016858da67a9727b4713247ae0e4befaebee

    SHA256

    21cb6d6d67ee3802b1f7217db35a2413dcfc00a258a347cfa40a4e36662db2f5

    SHA512

    a710fc5abdb760a4795e8d48057dcfe98886babeeaf2a6817594890887d6b0fc3ac27811ce8e91664cf648e0b79e34a8546e9ea703732955601e3b56c0969c63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM7AC.exe
    Filesize

    15KB

    MD5

    2d2e9cec488c2a518369ed726da426d9

    SHA1

    a02ba3cd4bb78c9a60112da1c4d9defec773d223

    SHA256

    38a16a36d97af9b1871f321c36c38fdadf99fbb23b5a6971107592309cb3050b

    SHA512

    944d89e602e9c65abb727b51b618ca1a22eef86887219fce9bd34dd188a115d6a046c4e450f62ae85f98df8f2a0a8cd358804d0b8d30368837a5262c4bc0c2ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB074.exe
    Filesize

    15KB

    MD5

    6bd6864cff77a96a304ad24d914faa33

    SHA1

    0b4fe3c649e4858b2d0bd2f724b967fe0f766280

    SHA256

    34dea108ce797dda20ae1e274dd3767236619fcbca2180e21749b1a5cf2349b2

    SHA512

    e78785c512babfbccc91034d0aa64c6e83eb8cd137c4e6c137f0c45134332c65472d4722a95729dadff787e9020faa397e7455efda40e2dff6702c9dff9016d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB12.exe
    Filesize

    15KB

    MD5

    480bbe6b498872c1b113b7d911839d0c

    SHA1

    fc45851a0ad8a2dce5a830614932516ed9766469

    SHA256

    4d63f7610de5389050d5ff295a98d7539500281a0b795caec469b7a14e160879

    SHA512

    04b3c66392a1c0d0b1f35c613e013ddb17cd191a50652a1815b4ac893aca31747260007f48491cb02b8b8b45c5373e8d0bca21ad2ffad1980fccff9c84be945b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB457.exe
    Filesize

    15KB

    MD5

    c6d6b385940130b140f2e427a4162661

    SHA1

    b23d33ee9638d73e85757b989f6fee275cad39ec

    SHA256

    7f5ffc7025e5672bf06886c17f9b951bd7e1b63aadeb803a77a241fc13f0e596

    SHA512

    fbf0e0dee8f5f43a11f84f0a197902cc63e1758d95fcb7a065261e9e0479ce49ed3256b224219404fe8af40ed5412f1657565e972c720da3eff12429f4f68ee7

    Download Submit