Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe
Resource
win10v2004-20240802-en
General
-
Target
530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe
-
Size
16KB
-
MD5
449769a18f975df3ad5e6aedb4b4337d
-
SHA1
1fe55ea9aec10467ac64196d8906a5359e65df20
-
SHA256
530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5
-
SHA512
57e8cb8cc7841180bb6c84f7aa1e33f5d8e39b6f5ebd02bba0049f4b7d4e29b7099dc2a0ddb725dcf6d3d2a2a4decb350a1972aeb56e515fbc19c52eaa3f0bff
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L47nPi7:hDXWipuE+K3/SSHgxmHZbo
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2240 DEM7D99.exe 2484 DEMD3D3.exe 2624 DEM2942.exe 2248 DEM7E73.exe 2320 DEMD385.exe 1180 DEM2952.exe -
Loads dropped DLL 6 IoCs
pid Process 2876 530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe 2240 DEM7D99.exe 2484 DEMD3D3.exe 2624 DEM2942.exe 2248 DEM7E73.exe 2320 DEMD385.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD3D3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM2942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM7E73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD385.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM7D99.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2240 2876 530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe 30 PID 2876 wrote to memory of 2240 2876 530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe 30 PID 2876 wrote to memory of 2240 2876 530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe 30 PID 2876 wrote to memory of 2240 2876 530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe 30 PID 2240 wrote to memory of 2484 2240 DEM7D99.exe 32 PID 2240 wrote to memory of 2484 2240 DEM7D99.exe 32 PID 2240 wrote to memory of 2484 2240 DEM7D99.exe 32 PID 2240 wrote to memory of 2484 2240 DEM7D99.exe 32 PID 2484 wrote to memory of 2624 2484 DEMD3D3.exe 34 PID 2484 wrote to memory of 2624 2484 DEMD3D3.exe 34 PID 2484 wrote to memory of 2624 2484 DEMD3D3.exe 34 PID 2484 wrote to memory of 2624 2484 DEMD3D3.exe 34 PID 2624 wrote to memory of 2248 2624 DEM2942.exe 36 PID 2624 wrote to memory of 2248 2624 DEM2942.exe 36 PID 2624 wrote to memory of 2248 2624 DEM2942.exe 36 PID 2624 wrote to memory of 2248 2624 DEM2942.exe 36 PID 2248 wrote to memory of 2320 2248 DEM7E73.exe 38 PID 2248 wrote to memory of 2320 2248 DEM7E73.exe 38 PID 2248 wrote to memory of 2320 2248 DEM7E73.exe 38 PID 2248 wrote to memory of 2320 2248 DEM7E73.exe 38 PID 2320 wrote to memory of 1180 2320 DEMD385.exe 40 PID 2320 wrote to memory of 1180 2320 DEMD385.exe 40 PID 2320 wrote to memory of 1180 2320 DEMD385.exe 40 PID 2320 wrote to memory of 1180 2320 DEMD385.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe"C:\Users\Admin\AppData\Local\Temp\530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\DEM7D99.exe"C:\Users\Admin\AppData\Local\Temp\DEM7D99.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\DEMD3D3.exe"C:\Users\Admin\AppData\Local\Temp\DEMD3D3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\DEM2942.exe"C:\Users\Admin\AppData\Local\Temp\DEM2942.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\DEM7E73.exe"C:\Users\Admin\AppData\Local\Temp\DEM7E73.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\DEMD385.exe"C:\Users\Admin\AppData\Local\Temp\DEMD385.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\DEM2952.exe"C:\Users\Admin\AppData\Local\Temp\DEM2952.exe"7⤵
- Executes dropped EXE
PID:1180
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD57b87e9ab218c39a6bb8b8ef62bee8156
SHA1af81be173727afa7fea6691b69b704e7fb8cbdd3
SHA256a8ed1bc4ba1ef5c1e6c87ba778dd8ec1534f4e089c4b6d98d511b88ec26b32f2
SHA512ee3358fb8caddb79c8e83bc69d1a7c96e4bd1a45787c34d37282adefec0b84a610a2a59a0ae1d629989b42d22de476f56d252a6d6c3ad8809a921be9fd91dc40
-
Filesize
16KB
MD555f7e6b38ed90a871aadc627326095a9
SHA115e63b216e515991bfeaa07e0efde02fd4e24bcc
SHA25677ee42dd7a0d90ee24b5859762fd4740c246b0b428c155139f0f5bd5f843f5f9
SHA512d3cde78ce4de023d35ec2360715beacf15a6e2c56c3a4f4b6091207263c5ceb4d1718f5ad56a9bfdec83524b669e80bda475912b25e2804cebe333b47f33ae4b
-
Filesize
17KB
MD5f3923ec32b45fb63669ba268a5d7f552
SHA1ad395eee4de7e088913653f857a279f47c1dc974
SHA256a5d51b9b0dd86636fdb7b53ec0f96cb2f67be49b1d1d457630f805621317f823
SHA5123c17448a9eda0fbed21e90e79f12148aea0466e16087c4da0cddd3d72552e7cbb467f9de131111930af492404df21b342df29ce4ad0e6da761102b5d8999376e
-
Filesize
16KB
MD50511c65c14269fa00663090489c35fc5
SHA10c24107d78129e88175fb0aaee167c96029bfa8d
SHA25627d33337c32793ccbdb284bcb6d4a69590161d232b75935d1371e6fe36860c90
SHA512b0477ec3b7cad615e92f1bc6ccacd1680c5acaccf3ae535049613adb756f9601844dfcdf0ee19fc14541da695e0e7689f1c1ea4461ff31c0d3a692b02e6359f5
-
Filesize
17KB
MD5468ec2991f67c0c402f4b82d87d376d1
SHA1f367433c45cc33792e7bf61d9fdb160b6c8afba1
SHA2568cdbf2bb4b0d16ecdfd452d8dd04db258d60ea8bcd22d60c3e57d26f689ddf47
SHA51230ce13e505867622a85491990c9b4b5d95edca98c6f402a551cc9f72241bbb369d7bf4e243d68fbabea5573f3489195c521975616c6c9d72a1129eec7cb96833
-
Filesize
17KB
MD59990128fbded20f49461f6d734c10c8d
SHA122c7e2687d1f26e40649b0c97c396057dc181b82
SHA256706de86e903e864a754e77cbf1cdff706af3d5e2eb63565c8a909d1335871339
SHA512d89d568fd0f145f63347fe4f8e40cd35d852475a43928a62f236b6fb8bc7585b17eab4ba54782ab54aeb21ea4e2f068a6afd2df566ab70c54b8ed7a0ff8697d8