Overview

overview

7

Static

static

3

d6e0d438a9...60.exe

windows7-x64

7

d6e0d438a9...60.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    113s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe

  • Size

    20KB

  • MD5

    f3497e254a2cb34d41a3a4087f83fdf6

  • SHA1

    aa2b4520585035e92c75123f34cd6c3951972598

  • SHA256

    d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660

  • SHA512

    55df30db83dd18060882ede8b14c7ca6c994a600028cc328e82524ba984fb1fd401701f3ce86b57d985e73c82c05e8b2471089df58461a3b4f897db2e386ed2d

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRSU:hDXWipuE+K3/SSHgxmHZPRP

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe
    "C:\Users\Admin\AppData\Local\Temp\d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\DEMA037.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA037.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\DEMF8C7.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMF8C7.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Users\Admin\AppData\Local\Temp\DEM5119.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5119.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Users\Admin\AppData\Local\Temp\DEMA92C.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMA92C.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1960
            • C:\Users\Admin\AppData\Local\Temp\DEM83.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM83.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM5119.exe
    Filesize

    20KB

    MD5

    3282466719cf543024c22ef020eba0af

    SHA1

    51d9f9b1dc4d63e3885dfd35ca17ac5eba4c9a74

    SHA256

    ebbd44274ca6c44983fed3aa055ce4d1b15d3dd216d63f7d9e783daaf0e80abf

    SHA512

    991c00f7ce4e53a359191ce889fbf8d153fee549065cec58cc9b77dd62ac938354633521aee9f6b0260c69be46291a5ef060d2dfe2bf5e23fa7cb1d7d290a07c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM83.exe
    Filesize

    20KB

    MD5

    0f62e239ea953dce59ab3d76fbe22397

    SHA1

    1a013edd10a5f3708e01d17c369e20f9c92262e5

    SHA256

    f425db54b95e6960e599d12297ce16ae26823e62adba6583354d1132cada4ce9

    SHA512

    da1729237678f22e7a8af14accd377c76c6f9649268b9b92d064d43e117c64806b1099a3c1ba49cc36fb435af8627c6018902b7c7072b0a41801c2c4dc24c80a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA037.exe
    Filesize

    20KB

    MD5

    2ab2066d636f80ae2a673e462c3c220e

    SHA1

    9427d005491d0ea1ae620c50225c0995583b9c9f

    SHA256

    9608677716ce3afb1282c166482ca2074b8160e3e33086aa6283e12155dbb2f8

    SHA512

    c91c90e8b7f540d787a3337eb8a364cd0b0e9cb704c8a49534f91ab5427c7450cdd1b2e5bed3a10aea530891a14d97003a25bad6d2c57226fb6d03409fca53b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA92C.exe
    Filesize

    20KB

    MD5

    1e43bd008abcdbf7a5031d891ea833f2

    SHA1

    5063310d1242f16045d51d949f7f9112a5145063

    SHA256

    4efd60352a76594c5de0ee5521f8476762aae2f71010aa8e7fbc33ef3783d2a7

    SHA512

    879d2337b926ca6dbd0e4bd33b693e5e26d2a5eb26facbeeb8fbe04e39ab787dd974e22325c0f3af833f948bece602739d9784fb0c6441813a21186732a0edf0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMF8C7.exe
    Filesize

    20KB

    MD5

    434f1487463fda1f5374814f1d1f3dce

    SHA1

    3fafb43857b3b5b7c8413193d09346a932e2621d

    SHA256

    cba592e741d33ac04face3a391e11681daa685ead46849be530ed501e83df18d

    SHA512

    7706f518267f5c02234d518958b66abe2d08ada3def0e7031eb4d93e2455fa8471da0561d4099bc7601e6eeba63e25443a5a7e3183db97b3322ef54d141c9454

    Download Submit