Overview

overview

7

Static

static

3

296a2dc73f...4d.exe

windows7-x64

7

296a2dc73f...4d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    296a2dc73fa2c47299404da28387ba804803d91621f53c0f7c79e61476e3334d.exe

  • Size

    16KB

  • MD5

    e5937d893c5daee668134a53bf27d563

  • SHA1

    6a4bebcbf74ff23425571f082d1e239f101e7887

  • SHA256

    296a2dc73fa2c47299404da28387ba804803d91621f53c0f7c79e61476e3334d

  • SHA512

    3639de7b4688bd5b7a8de7940576d2da2a8cf5e82f91031fc95637fbabf3e678755c5c44dd1219faa6bda0bff8a46bc38f1be5e8cc8ec341287001f80ba2a9bc

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9MG:hDXWipuE+K3/SSHgxmH7MG

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\296a2dc73fa2c47299404da28387ba804803d91621f53c0f7c79e61476e3334d.exe
    "C:\Users\Admin\AppData\Local\Temp\296a2dc73fa2c47299404da28387ba804803d91621f53c0f7c79e61476e3334d.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Users\Admin\AppData\Local\Temp\DEMAD57.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAD57.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Users\Admin\AppData\Local\Temp\DEM54A.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM54A.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Users\Admin\AppData\Local\Temp\DEM5C34.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5C34.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Users\Admin\AppData\Local\Temp\DEMB31E.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB31E.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3756
            • C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM54A.exe
    Filesize

    16KB

    MD5

    559c1fbe2d94632382f4644baca30986

    SHA1

    b21f9ec74b41d9959c1d8029871bf73fcab1c64e

    SHA256

    ebe41e15ef61116f1e5baf12cb7649477944576545f12a196a504b3df0e8f7d8

    SHA512

    f856b125baaaa6eb2311a68f870c90942cceea8706d302bf081d14d03c16fdab33cc02c238c326264aa7f9408b68f4945181425c7b20753a87095f364a98d7c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM5C34.exe
    Filesize

    16KB

    MD5

    8e31fb06c5c2622459295c22db9c665e

    SHA1

    1297341aa27cf1c05fd91f00f143a7c0d22fc388

    SHA256

    76c31c4cdeacd3c5e76ee99a77251cc5b0b669e8d8146310765a3b2bdb452c2d

    SHA512

    cc6556d9198aaf61595aa4f5c83a71170f15699ab7233f19ef2ccdb05776fe85a2c0e4ea851855b096d7d21e9894042df60f60d418b3609d3e3992e02aa9ce0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM9AB.exe
    Filesize

    16KB

    MD5

    391a34ad7b7761b680af4d44b78abf61

    SHA1

    ac0dd696cbd8fbe27a0909dc402597bac51ebb5e

    SHA256

    344db03a29efef5f1ad60df554bd05517184282d606504a0ade06e12ebaaae72

    SHA512

    91d89cd242d8a00e3f91e2be7be40c93f2f1e9dc361d71b54bbd17c386ba6ba554041e318c5d30e2fcc36ddbf1233365142e354400cbaf12aa4817a4af8ecd73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMAD57.exe
    Filesize

    16KB

    MD5

    adc27309b120811589c27b1f34075ec4

    SHA1

    c5869c5e65b800e4e2c26b72b1d9a8b9bdf6d1dc

    SHA256

    fdf3bb639d37552bc73242875f4549f797afc6214e143f5f8ea2b96444c2bf2e

    SHA512

    cdd89a175277afc44b61e136edab2dbecc068ba07e6dd5a5ae8af05e6860cfd91bb298930c70dfdd8876c8195b4a22909eaea86d704f4ac220966e23f94c3c6d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB31E.exe
    Filesize

    16KB

    MD5

    cdb04759dc11dc8e11355e2b020817aa

    SHA1

    1a59e8373ec8fe7502c94906b80c5d7d2aef9110

    SHA256

    ec4db1d4df90198e3a16dea86a71f37c64c1b2c1096f3a0abedcd4c528e09dcf

    SHA512

    2a4898f98df0a4f4ffcc74693126c20b77008516382ed3f07ef17c31b711038a8494095474cfaf64b2786c646c7499176abf8d90bd76ea5feb15ddb2f52dbf15

    Download Submit