Overview

overview

7

Static

static

3

2fcd9d6d3d...60.exe

windows7-x64

7

2fcd9d6d3d...60.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe

  • Size

    20KB

  • MD5

    9461f59c4561c0cd37ced502812fd9d9

  • SHA1

    164b7f0fce654168f4c392af40da56e70d8047fe

  • SHA256

    2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960

  • SHA512

    b59fae7b4add4651e627db175f1e25ac08216d01ec9979184899be3d23262a3352dcfe5bdf2ecd0a51bfaae7f17dd8b7536f99465ac55b290fc9fc94229a8d25

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRS1:hDXWipuE+K3/SSHgxmHZPRc

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe
    "C:\Users\Admin\AppData\Local\Temp\2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\DEMCEBA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCEBA.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Users\Admin\AppData\Local\Temp\DEM2630.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM2630.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Users\Admin\AppData\Local\Temp\DEM7CCC.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM7CCC.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3796
          • C:\Users\Admin\AppData\Local\Temp\DEMD30A.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMD30A.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3292
            • C:\Users\Admin\AppData\Local\Temp\DEM29C5.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM29C5.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM2630.exe
    Filesize

    20KB

    MD5

    73942536a8b5390c25eb2c075c0fc05c

    SHA1

    35c287dc8a60179c41cfac018963de3f1b3d7799

    SHA256

    d92b7ec0e569d544d76de1dd0c0023bb382ed968611ca4bd3b2ca9c689a18977

    SHA512

    c400acfa9fd99d412a8312eeb903f27f8884a488b30b7bcb28d04d77eab7b0ec58d5fee3490beef4859a2d377871959991e22211d5145235b0cff2e33420c69b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM29C5.exe
    Filesize

    20KB

    MD5

    db99f472964f7b4b019607f183e69ea9

    SHA1

    d9da6eeb7bba8033a101020348a4529cdae20ca9

    SHA256

    a1750cfffb015fa561f01a0a0288dfea40e354698b7411b23f4f827fec6a3122

    SHA512

    96b9f964f4b3dbbb91b92739337c1626202e2737e3ff00c5555ca5e43a34f57ae5a1886b22aae244caea932a1ab5be64e033058fa19e67606f678faa6fdfa9fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM7CCC.exe
    Filesize

    20KB

    MD5

    a7e987bff684a4d47988d0822db7063b

    SHA1

    2be432118a62eda47d97b183dd5095bcb06996db

    SHA256

    66d1cf424f6541448bdcf69a4c2a04ae3ef6b8b5cd91346a9f3e8dee18a26904

    SHA512

    6d662f04ae0a8cd54e4f28f42a919951394202d9cb553a45dc9c83bf4de9e9c41184c734a4651964c22d622987be3afb3af650a5be91ea50e1d054d913c6f7a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMCEBA.exe
    Filesize

    20KB

    MD5

    7395e523f49dd75a5d8d2e10e0bf65dc

    SHA1

    c121cfb1f76fba56ceb2d56e7bd43efdaa127e93

    SHA256

    8fc737e7e2cf5766cbc525cec33fb0b98de45f33c7393107583adfd23c7a63d0

    SHA512

    97365f79286cd3cf3598eb63ccbbe692f28eb68a836d5a50a66b8ce7c36758c13dd5a9cdbb49099927affd33ed224c0b648bc195480cc29393655acc81866b0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMD30A.exe
    Filesize

    20KB

    MD5

    1844debc70a90ce9f4c3fe8e2c7377d4

    SHA1

    df68e0cbd14824d4cc497377dfbaa60519941963

    SHA256

    22aceeb956cb79106b91184987e11cee096995d983f99859574d6a632c396f22

    SHA512

    dad8c28390891f820b4ecd4714d589a7d27cece082b47c59492bca87a450b3eb0ded703ffd3952962412c12e902a43018c5423982fe585951bf3b1ca0fc72e3d

    Download Submit