Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 05:30

General

  • Target

    530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe

  • Size

    16KB

  • MD5

    449769a18f975df3ad5e6aedb4b4337d

  • SHA1

    1fe55ea9aec10467ac64196d8906a5359e65df20

  • SHA256

    530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5

  • SHA512

    57e8cb8cc7841180bb6c84f7aa1e33f5d8e39b6f5ebd02bba0049f4b7d4e29b7099dc2a0ddb725dcf6d3d2a2a4decb350a1972aeb56e515fbc19c52eaa3f0bff

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L47nPi7:hDXWipuE+K3/SSHgxmHZbo

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe
    "C:\Users\Admin\AppData\Local\Temp\530f361cf82f92c5806ef4ebcd1fbf3bda92cddde090a4679de02c9f7c4a81a5.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\DEM7D99.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7D99.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Users\Admin\AppData\Local\Temp\DEMD3D3.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMD3D3.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Users\Admin\AppData\Local\Temp\DEM2942.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM2942.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Users\Admin\AppData\Local\Temp\DEM7E73.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM7E73.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Users\Admin\AppData\Local\Temp\DEMD385.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMD385.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2320
              • C:\Users\Admin\AppData\Local\Temp\DEM2952.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM2952.exe"
                7⤵
                • Executes dropped EXE
                PID:1180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2942.exe

    Filesize

    16KB

    MD5

    7b87e9ab218c39a6bb8b8ef62bee8156

    SHA1

    af81be173727afa7fea6691b69b704e7fb8cbdd3

    SHA256

    a8ed1bc4ba1ef5c1e6c87ba778dd8ec1534f4e089c4b6d98d511b88ec26b32f2

    SHA512

    ee3358fb8caddb79c8e83bc69d1a7c96e4bd1a45787c34d37282adefec0b84a610a2a59a0ae1d629989b42d22de476f56d252a6d6c3ad8809a921be9fd91dc40

  • C:\Users\Admin\AppData\Local\Temp\DEMD3D3.exe

    Filesize

    16KB

    MD5

    55f7e6b38ed90a871aadc627326095a9

    SHA1

    15e63b216e515991bfeaa07e0efde02fd4e24bcc

    SHA256

    77ee42dd7a0d90ee24b5859762fd4740c246b0b428c155139f0f5bd5f843f5f9

    SHA512

    d3cde78ce4de023d35ec2360715beacf15a6e2c56c3a4f4b6091207263c5ceb4d1718f5ad56a9bfdec83524b669e80bda475912b25e2804cebe333b47f33ae4b

  • \Users\Admin\AppData\Local\Temp\DEM2952.exe

    Filesize

    17KB

    MD5

    f3923ec32b45fb63669ba268a5d7f552

    SHA1

    ad395eee4de7e088913653f857a279f47c1dc974

    SHA256

    a5d51b9b0dd86636fdb7b53ec0f96cb2f67be49b1d1d457630f805621317f823

    SHA512

    3c17448a9eda0fbed21e90e79f12148aea0466e16087c4da0cddd3d72552e7cbb467f9de131111930af492404df21b342df29ce4ad0e6da761102b5d8999376e

  • \Users\Admin\AppData\Local\Temp\DEM7D99.exe

    Filesize

    16KB

    MD5

    0511c65c14269fa00663090489c35fc5

    SHA1

    0c24107d78129e88175fb0aaee167c96029bfa8d

    SHA256

    27d33337c32793ccbdb284bcb6d4a69590161d232b75935d1371e6fe36860c90

    SHA512

    b0477ec3b7cad615e92f1bc6ccacd1680c5acaccf3ae535049613adb756f9601844dfcdf0ee19fc14541da695e0e7689f1c1ea4461ff31c0d3a692b02e6359f5

  • \Users\Admin\AppData\Local\Temp\DEM7E73.exe

    Filesize

    17KB

    MD5

    468ec2991f67c0c402f4b82d87d376d1

    SHA1

    f367433c45cc33792e7bf61d9fdb160b6c8afba1

    SHA256

    8cdbf2bb4b0d16ecdfd452d8dd04db258d60ea8bcd22d60c3e57d26f689ddf47

    SHA512

    30ce13e505867622a85491990c9b4b5d95edca98c6f402a551cc9f72241bbb369d7bf4e243d68fbabea5573f3489195c521975616c6c9d72a1129eec7cb96833

  • \Users\Admin\AppData\Local\Temp\DEMD385.exe

    Filesize

    17KB

    MD5

    9990128fbded20f49461f6d734c10c8d

    SHA1

    22c7e2687d1f26e40649b0c97c396057dc181b82

    SHA256

    706de86e903e864a754e77cbf1cdff706af3d5e2eb63565c8a909d1335871339

    SHA512

    d89d568fd0f145f63347fe4f8e40cd35d852475a43928a62f236b6fb8bc7585b17eab4ba54782ab54aeb21ea4e2f068a6afd2df566ab70c54b8ed7a0ff8697d8