Overview

overview

7

Static

static

3

0616040c06...cd.exe

windows7-x64

7

0616040c06...cd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    110s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe

  • Size

    16KB

  • MD5

    2e927661437de025daba278856cd8dc4

  • SHA1

    77fd2f100ba14f2f715978e82efe3b09972088c7

  • SHA256

    0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd

  • SHA512

    49ce1f428ceae42daf7d5df6a23f8bdba359d13ed077fd2f7d9d849b66b4a8d8e75d3bc606d7187ef258c5205443f100724fbed388ccdbc9c6edf5996478a727

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxdZE:hDXWipuE+K3/SSHgxmHfK

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe
    "C:\Users\Admin\AppData\Local\Temp\0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\DEMB229.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB229.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Users\Admin\AppData\Local\Temp\DEM932.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM932.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\AppData\Local\Temp\DEM5F90.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5F90.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3752
          • C:\Users\Admin\AppData\Local\Temp\DEMB522.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB522.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Users\Admin\AppData\Local\Temp\DEMAB4.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMAB4.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5F90.exe
    Filesize

    16KB

    MD5

    5da9d8ca000c87ed7b2adfb3aec4ade6

    SHA1

    753d656fadcbaded2e90f5031fe211658661dc8c

    SHA256

    fba82a021c2eb8d6827cb06a9f2dde86e9e5848ccdd713feba137e00150e3f47

    SHA512

    b124db10024a4301dbfd3ba62f66d23892d5cea1e196359f0e2f07bc962fc5a1d7f2c9a95bfe6b3d886f0db2f868079f5583638ccc8e149e2aeb482394cd145c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM932.exe
    Filesize

    16KB

    MD5

    669dd7a267776655e9f52e66fb485ea0

    SHA1

    4c85656a97385c79490ea282d68e7c05a91db97c

    SHA256

    fb02e1d66198796a76c716c7af8b9f3170afebd04f816b01f1f3d35838ca0aa5

    SHA512

    5e96217d2ccb78fa2327d29ce3402df0970dcae78c11f5e4eee584a7d20f746b2a9cb0a593787962080ba55130f576e208bd864a1595a99f20c5f64baeb584e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMAB4.exe
    Filesize

    16KB

    MD5

    ce5adbe4080ac1c107f6062499b6913c

    SHA1

    de8aef548e2098488ff48f99f938388fb3fb4c2f

    SHA256

    9229d182c69cabeb693a79edb3c229d15d1e030f64311acff12bebe20a78f3d2

    SHA512

    4cda319ac4140fc1a773a3ba515e306e89fcac05c07c7544f5fa285dc3e309348d1507eb8a95e998f011d8cb69d99172cb7b090e008b5a392dddffecfb3c09eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB229.exe
    Filesize

    16KB

    MD5

    a2221d2f122dc517b32ea11d8d2acd5f

    SHA1

    dd2f9384db8845e08e364cb00cb9d009fb9129d8

    SHA256

    414431329e61e60dde20b0d8e93239c27a422478b09130f03b79d243f16e37cc

    SHA512

    04b63be2ee00e2472bce1268a7e689ff740c3e922096ec098a48ab2d71a95024e5310828105eaf4e7874eed2cd24f2f4d6c72cee97676c717ac4b7d433211bca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB522.exe
    Filesize

    16KB

    MD5

    91ac13cbed7c1c8d1978674555ec29a9

    SHA1

    db3f089d5f01d1e372564ae024a0c9f7bdcee9d2

    SHA256

    95a01ab2801a1ab3bd89d6fd87438f6d3485ff15abc6025a34cf52e837988ea5

    SHA512

    99bab6dea1385b09f89bcd0b93c78aaeb1d80cb45302ae7f57b29948a19c427361d0a97ad58daf15ece2611ad53ddb7afe83a0a95be62308daf41a49d19ba694

    Download Submit