Overview

overview

7

Static

static

3

0c7bfea65f...26.exe

windows7-x64

7

0c7bfea65f...26.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    113s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe

  • Size

    15KB

  • MD5

    5bd67957a7626b7533f521f54efcb071

  • SHA1

    7e5858959534e892d3dc56ce8a08548b6b9eda9f

  • SHA256

    0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26

  • SHA512

    c735ad2d292a4bcb5043977d952b435c05010a53451a6d7e2bfc86b664dae44a1ff585af51ba2f8ea627d230661dbf1c443486e1e7fbbcabd9d75a751ef30e13

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq445:hDXWipuE+K3/SSHgxmq445

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe
    "C:\Users\Admin\AppData\Local\Temp\0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Users\Admin\AppData\Local\Temp\DEM70AC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM70AC.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Users\Admin\AppData\Local\Temp\DEMC9C8.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMC9C8.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Users\Admin\AppData\Local\Temp\DEM20D1.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM20D1.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Users\Admin\AppData\Local\Temp\DEM7848.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM7848.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Users\Admin\AppData\Local\Temp\DEMCF42.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMCF42.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM20D1.exe
    Filesize

    15KB

    MD5

    9bc58d61778d743589e5921083f46144

    SHA1

    370dae7e71f9398c0dedbc3489c4fa8c780e668a

    SHA256

    57a06a496c065243cc97513a017de14167c598838813250c49a184e60fd69600

    SHA512

    0e9535a63112530df5ae579e6ece9efb3ded17ffecf5b524f9971f87a0d44dc89bc0ecd4ec9d3bb8b7e7bac9863a21b52f02eddb9ff29e5ac429dfa0232c922f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM70AC.exe
    Filesize

    15KB

    MD5

    ac3b7a3649e6de8cc39ea114192e5cfc

    SHA1

    26912b05e8b7e9ca87432aee64d2308d222ad573

    SHA256

    18531042beb0b7a9c24812a6e9aa47f43d4071893809885f9de02866434c2513

    SHA512

    1c68c38408c2fca3d446ac2b4fab5185009735c1aa2b58fa336035d5bd9189fc11beb9e407912bbeb7d109897cd88ab42cace25a9d5d45ef91fe1141a46e9d63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM7848.exe
    Filesize

    15KB

    MD5

    742e44d046b69085a88a757df1b4789c

    SHA1

    07fd7c08d5a6fb07a727cc2b0893658e24add4e1

    SHA256

    0d115d3a32b33c5220f804afbcca40477b54eb6fe2a927d10d71d330b19bd165

    SHA512

    7f8a334448a485222b9134bd537673cd0e0f449f28694ea728116fe1c1e1edf2a5eb6cfb0de8892f80bb22151f51ca2d1fc34c828a3a339310eec1f1f43286da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC9C8.exe
    Filesize

    15KB

    MD5

    55d8ff236326b4fb5dcd1b0d4a80a302

    SHA1

    7c9aec4f59d353563586cafdf89e0a589cb1345a

    SHA256

    c43887f70914c38c93581e47dc493cee64db09d3a743383422ee2f4c80b5e363

    SHA512

    bb8f925021d79eadce26a0c89ce8510e249667312bfcfa6fd0b312816fa8192e25f8e553367363b064c746113be873b211d0d0890d47cd9acd923ae7e18bf6d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMCF42.exe
    Filesize

    15KB

    MD5

    da92dacd13173917c8491222e98ee117

    SHA1

    14df8ad0c6a9d4d70170692a46af62c1d6d30de5

    SHA256

    7879560ab3c67fe675a67c8d34931ca56341551c6323f4f3e6fdd03da676df20

    SHA512

    23609dd88bf0eca894c05bda2858c4c0b2f2c488a6bdb38ec9e195a99a6d2d5ca997e7e2eca938b0fb908c839beea61e59089a7e712fd71106ece11460e0dcb6

    Download Submit