Overview

overview

7

Static

static

3

e9650f6b6c...df.exe

windows7-x64

7

e9650f6b6c...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe

  • Size

    15KB

  • MD5

    81ed87a69f1718b501128ca25a56d6d3

  • SHA1

    a3ba5dd346b3c296ba7d47e359c6c5db7809d6dc

  • SHA256

    e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df

  • SHA512

    787f953f6435cb69355e7ad3b1545d7b29773c67cfaaa7e0ac76305eadce87df37e0e525e15f9704f71ac98dab1612184e0f6ed85f6e30549c5d728f2e61a030

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhm:hDXWipuE+K3/SSHgxzm

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe
    "C:\Users\Admin\AppData\Local\Temp\e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\AppData\Local\Temp\DEMD0DD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD0DD.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Users\Admin\AppData\Local\Temp\DEM28A1.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM28A1.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3864
        • C:\Users\Admin\AppData\Local\Temp\DEM8008.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM8008.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Users\Admin\AppData\Local\Temp\DEMD721.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMD721.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Users\Admin\AppData\Local\Temp\DEM2DFC.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM2DFC.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM28A1.exe
    Filesize

    15KB

    MD5

    0493652ea7c6d656581f34f4d30872f7

    SHA1

    7c612833ef7083b167327f59739552fb157c173c

    SHA256

    c22cce8545c9775ca314f21f570953d89e294d9343ae0ca205cc8ef276607a4a

    SHA512

    ff087c96dcc5c4ab32f11b4c5a289fbbe2968f2871a1d6d62e2a85e25d2d940ee6a456de1277b74edb37328cc5f745fffe2f9fc9fa94e2c8ab4555929aad5024

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM2DFC.exe
    Filesize

    15KB

    MD5

    c9b06651ab1adf878a0db0daef8ba6a4

    SHA1

    687a9caf0b1d85b2276df592f20c8940e0e86e15

    SHA256

    3e92f54bbcb0b18df05564a5965280d95171888ee5cab01d6d8b85297738ef23

    SHA512

    bacb78107955d896b5b12c3833b7dfaa40896e9eab01eafec243d0eba599cfb988aaaa39e31c048b6153e966b17ab65e78f827ab7f7f2bb2b8d2023fba394a84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM8008.exe
    Filesize

    15KB

    MD5

    c1658e58f8c6bc39fb542d8e0ca06e6c

    SHA1

    b813bd09721bfe6a1398ed518a08700938125a34

    SHA256

    c0fc6ddf837d8010d0fa8d4fe8fd06537d97ccb754064b2b821c8c39c9cbc8a6

    SHA512

    f1110a973573462e3d2627bd050e92e4f92c106c8a2ee95344981424a476acf959ce769f17d65bae4beb10f4e63826cecd35505d0ad9371fe30cbb603d710783

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMD0DD.exe
    Filesize

    15KB

    MD5

    554ea13cafce255659d3e169e4ec9f9c

    SHA1

    8cc271d045aa4becf642923673942039a62265c0

    SHA256

    ad0b607252821ced949c26155e4ce6ca69c4d1a41c3e6d98134c5bec49185054

    SHA512

    8fccf62d5eb2578bc331d8a6d055273c5c45ad091fdf7b81995e7327067c7c1be6a24838c8458daa0448468f84b111f2f439287a1c7c9e62327cd9dcd5fe8841

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMD721.exe
    Filesize

    15KB

    MD5

    5be078dbf6f5e74ce3fc2f8b253c200c

    SHA1

    01467af707fbeb84802b5b32fa4b48639486f589

    SHA256

    caebb5fd5a34747058f19617f343f75bc11623e6abe75eb38ce8f03680cd8628

    SHA512

    749ca5fa2ae281b5113ddc34756ad53c5538e433fbe8eca37a92400dcfcb52a678ca42e44ce8b0a459010aa6fcc5a92a46896209875ccc4aa748038077e17188

    Download Submit