Overview

overview

7

Static

static

3

85f26a34f7...8f.exe

windows7-x64

7

85f26a34f7...8f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    110s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85f26a34f7e5465bfea31c842541a04fc29556ec5a577379869f0ec4016be28f.exe

  • Size

    15KB

  • MD5

    2f044fceb74d77bc75f17fbc24ba0a69

  • SHA1

    3bcad61bf3770c831a502cec4bfa90fdb9e2b693

  • SHA256

    85f26a34f7e5465bfea31c842541a04fc29556ec5a577379869f0ec4016be28f

  • SHA512

    260fd5c7fae6e417f4ba6e09892f04602a8ebefee53a6a876848763581e1359f87bd3f8ed0075e5c74f5e26f7eec43a1c2bea79027b394af9a16ed1172b87d49

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh60mCT:hDXWipuE+K3/SSHgxmyh6xCT

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85f26a34f7e5465bfea31c842541a04fc29556ec5a577379869f0ec4016be28f.exe
    "C:\Users\Admin\AppData\Local\Temp\85f26a34f7e5465bfea31c842541a04fc29556ec5a577379869f0ec4016be28f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\DEM789B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM789B.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\AppData\Local\Temp\DEMCF56.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMCF56.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Users\Admin\AppData\Local\Temp\DEM25C3.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM25C3.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Users\Admin\AppData\Local\Temp\DEM7BF1.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM7BF1.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3316
            • C:\Users\Admin\AppData\Local\Temp\DEMD220.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMD220.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM25C3.exe
    Filesize

    15KB

    MD5

    4c76cc12e9b5cef60ecd6da3eb30c145

    SHA1

    76ce1263257a33adfda07b7e79b1a29022f748ea

    SHA256

    5fb7316a03c34663d519e08a401ba183df829bc46d30d38928ecaf8bb98226dd

    SHA512

    eef3ca5cc968ef43ee97cc92b62d44d37cbbae03e70de48dfdb3a568b4fb68f7309765c4d081f0ac4facf725e5933d9bacba677d26fd880a6f4d152baafa714d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM789B.exe
    Filesize

    15KB

    MD5

    0f00c6c8106951a1da7ec923d347ee9a

    SHA1

    a5fa6651a68ac00fdeced0e9f4ff750da5de1cac

    SHA256

    7c6ef92e051b283106c4acc3c8872ac436ae562aad44f6d730076bed8f0b99cc

    SHA512

    67ccc626fa5ec7ee08a19e55c988ab0862a9b69bf0a425e7b597ea96715f9fe47b9f0fd7fbdee3d927b4dd8cc0dc9f8e11735b6472807fb850a3fb9cc0bdde77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM7BF1.exe
    Filesize

    15KB

    MD5

    3063d604ad13f74b4f22a965266bc50b

    SHA1

    932ad0efbe8e954b65a9fba2566e5d5a065812d1

    SHA256

    a53f028524ccef8c849b9262ee434a9df5c234dbccef0527fbb9a8eae4898f43

    SHA512

    4ccdeb160a95789cbbdd3b60b5e04d3fc10e9dbcc6bf239cbefba6cdabf74d54333562fee3cb094e894b56d0531bbe2ebb45618da55e8556738e22192090a154

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMCF56.exe
    Filesize

    15KB

    MD5

    c2b9668b5c3adaae22043e5fdc42748d

    SHA1

    49e66a14093e437e77a32fae8cb73a792c3fa882

    SHA256

    2660405f44c89e592cc63061c3c93aff1775c1a4957506071d6980d9d03d094f

    SHA512

    88901e3b0168a2f190f8f7511f1c0f9c29cb0a6311e1ce000d73dfe3399db4646f9f8444f13390368bdbf307c3f6fd6995563c0fee0164818b51a8f97f2f398d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMD220.exe
    Filesize

    15KB

    MD5

    ffe392eaab17d94a7ccce457cc55c83d

    SHA1

    1c094ac29abb1efb25735f02fcc202092d49d066

    SHA256

    65200a327402536df4ffb51a956ceb4b5cfc0a5cfd3481e4027a49dfc6054f79

    SHA512

    3281f2ed1ffc99cbd2b037d0e4a21b12f67d6cad14948549da0065691db3d475fc9e30e7d561b53e97abc32babcb857d57b9aa915becdf2c3499bcca95258349

    Download Submit