Overview

overview

7

Static

static

3

78968a4953...5a.exe

windows7-x64

7

78968a4953...5a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78968a49536e19527370a8bb6e2aecd31b20f4f31734b9e163f93077b61a695a.exe

  • Size

    16KB

  • MD5

    c42a72e0db74abe1ae634448070f2981

  • SHA1

    bd556100517aacfb22c40fedc76c58238b5bba84

  • SHA256

    78968a49536e19527370a8bb6e2aecd31b20f4f31734b9e163f93077b61a695a

  • SHA512

    7891252324a1ffeb5f9316e2de89f0b1f151ce610fb4837ee441965c4277da1e94d412c0a7e18c680c5d933480dff1baacd9ff79b409e55d170a2f61ec849d0e

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5JT9:hDXWipuE+K3/SSHgxl5p9

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78968a49536e19527370a8bb6e2aecd31b20f4f31734b9e163f93077b61a695a.exe
    "C:\Users\Admin\AppData\Local\Temp\78968a49536e19527370a8bb6e2aecd31b20f4f31734b9e163f93077b61a695a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\DEMB20A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB20A.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Users\Admin\AppData\Local\Temp\DEM8E4.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM8E4.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Users\Admin\AppData\Local\Temp\DEM5F71.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5F71.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Local\Temp\DEMB5BE.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB5BE.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Users\Admin\AppData\Local\Temp\DEMC1C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC1C.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5F71.exe
    Filesize

    16KB

    MD5

    e7be427f136a8a7a45432ff605c70945

    SHA1

    d6748f09249cd0b17928e60381e3a7ecc1939af3

    SHA256

    998c2d2e07c132a7aa6be4ea5c2189f2f438434fde9761d9c2efa3ec4545c346

    SHA512

    25d27df834dbd590dc0806be97ad6f9db09e328bbe377c08d70e4284c61a3bfcfed16e12fafde801e9b57c196e857017119b86f2f3a58b310e3565f3999acd4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM8E4.exe
    Filesize

    16KB

    MD5

    1ea93871404c9abd1d5a34f602cfc089

    SHA1

    1b629737696e9dba052daf5ca0c2c7f9bcb8a060

    SHA256

    7f9f3add793fe11c35848ee4c3c4bfda7256dce18d01719bee3933d11bb6b7c5

    SHA512

    818467356c7989ed1e3964bc48242906045c31776151cb77365cea121e2fb0b0a33db96a70e9ca3b140c51376bb01579ba7a8bfbff338ed056fee07bf340f741

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB20A.exe
    Filesize

    16KB

    MD5

    b44b3b888fbb08e888e1ef2ce10e0480

    SHA1

    be16d765585ae3b3f264be764e16f86912f22628

    SHA256

    c9749bb8a1601a126481d5b708c6b1f327ecb7effe2069c59ab5ed54b6a97762

    SHA512

    787bf047f8ed6e3142dd2243a523a780a5ec7fe252806d57e3d99a1ecdd2ca175bd3c75fe5b50d34d92b80dd62941e17f43eb6c39d247f0504a38e5ba57d59c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB5BE.exe
    Filesize

    16KB

    MD5

    4242966c7503175d3e2edfdb53f6dcec

    SHA1

    5000c36ed4b225507260b6598883bb22533c23fc

    SHA256

    343db298093ffc87dec1bb3ee2344d85c067e52429ab39e3afeb9b7c475ae93d

    SHA512

    0a85086311a7980e1c287d2ce47a313bb0292c9a253375e57df0cf13c3e9a450be75fc9db53ca09790132e6e80f25232df61d1cafcf3fd6fe56c13f86571bca4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC1C.exe
    Filesize

    16KB

    MD5

    f03ee82859f13deb17878f218e833af2

    SHA1

    4b7abb129c4e5550f948444aa06430fef306f938

    SHA256

    b191e16c9f5c92d06a787c0b89dcb4beb15eb70ab4635b411edcf9ad9e1a4a0f

    SHA512

    367222d6893da8f78ea00ce5e999713d39f5b93a852229cd631cf571db93b3ed31545ba9a089bb600ed71489a69c9d0bfac50641d2d476d3eb362235e4583645

    Download Submit