Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 12:58

General

  • Target

    0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe

  • Size

    14KB

  • MD5

    9b81c08743680fb1110c010220bcc622

  • SHA1

    8299cd0ea14352c190fc45bbb217fb37221bc671

  • SHA256

    0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b

  • SHA512

    174128cf347d10b37af7943f89d631ed2d5262c1913262f8338a4a868a12e3c1f3bc7e7828cc1ff385e26eb01cfad7e07cb2645f718e933647f8f855ff593b94

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBx:hDXWipuE+K3/SSHgxlFBx

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
    "C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\DEM626E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM626E.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Local\Temp\DEMBA04.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMBA04.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Users\Admin\AppData\Local\Temp\DEM110D.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM110D.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\Users\Admin\AppData\Local\Temp\DEM67C8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM67C8.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Users\Admin\AppData\Local\Temp\DEMBED2.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMBED2.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4088
              • C:\Users\Admin\AppData\Local\Temp\DEM15EB.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM15EB.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4900
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
    1⤵
      PID:4048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM110D.exe

      Filesize

      14KB

      MD5

      31b32c069a378e2ed7ed9b49a9e0f822

      SHA1

      b4e78d9886914902734c42e6d71e37bd393d96f7

      SHA256

      0f43c99739f1fe980e23318376d0c66030b6d7927afc0e574310e7842da62ce1

      SHA512

      def6f3dc69137acb79c086a711eb52e2ab720cc00fd02f7fb1fa69609110812933b182471f6924de772f2221a8c29252410783fd7793c450add970870bf1abb3

    • C:\Users\Admin\AppData\Local\Temp\DEM15EB.exe

      Filesize

      14KB

      MD5

      3c79039ef29ec7502b54b5bec869f94d

      SHA1

      19854a6034e9a92bd94041726c9e46c3905bf356

      SHA256

      7a11521e097c14deb2edff527253deb221ad3df504caf214c157f42e9be0cf3f

      SHA512

      a8053d6b8985b7da8dab381b923323accc75e0fda28faacb10e12db964022da46abc34c56c4ca4a729637ee211ea3b862750f89a9236a48f350f9af2030cd32d

    • C:\Users\Admin\AppData\Local\Temp\DEM626E.exe

      Filesize

      14KB

      MD5

      84f8674a61cb620ced891fd2a353efa7

      SHA1

      b7bb7b38167e00ac3a8db3f1bf4d37b2187294eb

      SHA256

      6bac3d0d05ff44463efd46f8e5a36f1d4e7eb0d9cb2ed6537c3195733ec7dde6

      SHA512

      98c8447633697d7aa407d6e2e3759a800b6f733b15f58213aa065ad90d320b8c5c359b0b9d84de25d90c0a2557693e163a3fc0d2cc84b91ac0d0c3bf8a02682c

    • C:\Users\Admin\AppData\Local\Temp\DEM67C8.exe

      Filesize

      14KB

      MD5

      bc39ef64db91503d5570c5bf67cfabd1

      SHA1

      0c6119d1c00a854862026bdf0e0f863dda79f297

      SHA256

      67fd334df1df52d1d91a489551a3056f374d75b2a79e9b2d32eb14dec3b082c7

      SHA512

      5f341e5745e98bad73d7857d69d1c4dcaa139ff23313e0dbf4a68b46eea53ff8ad85dcab2c44f5f1ece07305d2ce87c7be7c48d0c4596d977a3b32f35a5b4278

    • C:\Users\Admin\AppData\Local\Temp\DEMBA04.exe

      Filesize

      14KB

      MD5

      ed51ab023610104a637f0986af7a3b62

      SHA1

      d7427d6dce025e2016827aabf65e4ed18119d810

      SHA256

      a841a7e76b70145cd9558677740e1c3a686cce0f33c0462392b9dfcd0c580d32

      SHA512

      20252c9f744407846e5b2790a51b15a022761fcc3bbcbf195a67d519b1cbdde31185ebaa405d216a51d2cce388edcf0092ca713736aa926553c0d54f595459ac

    • C:\Users\Admin\AppData\Local\Temp\DEMBED2.exe

      Filesize

      14KB

      MD5

      f13ce8d1d88bb6bb57349b7aeac60fc7

      SHA1

      f61e9eed11dda85507a46d0b2c51acab1791b661

      SHA256

      061ec4f65b4414e25a9958a92c709c4aa89a1a13d2756c780f5b4285d3e9d181

      SHA512

      f30096fa5afa728f342708573ee38563764183d6b80cc9541f6455ad326e871be9261e049672958cb5c3704e45aa05a09d913a8db87b067a76eb739e5457a62a