Overview

overview

7

Static

static

3

f951296a40...85.exe

windows7-x64

7

f951296a40...85.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    112s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe

  • Size

    14KB

  • MD5

    34a364436280475d702682b1030747c3

  • SHA1

    1266b780c30ac13b3dd45141984ec4311ddce655

  • SHA256

    f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485

  • SHA512

    52c9251e7475370305599c38b086b5ffe24e0458ea68f692e0b1a57895ed68edc27a91707cf4b9d4b70915b0eb1352092981eb819de4cb40d99b0c6765cbd119

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0DcAv:hDXWipuE+K3/SSHgx4rv

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe
    "C:\Users\Admin\AppData\Local\Temp\f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Local\Temp\DEMA095.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA095.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Users\Admin\AppData\Local\Temp\DEMF8B8.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMF8B8.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Users\Admin\AppData\Local\Temp\DEM507C.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM507C.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Users\Admin\AppData\Local\Temp\DEMA832.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMA832.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Users\Admin\AppData\Local\Temp\DEMFFA8.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMFFA8.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM507C.exe
    Filesize

    15KB

    MD5

    fdd297d7925cad8202601f7836259dcc

    SHA1

    ac48cc116445026b620d69b35c22837c7aa85762

    SHA256

    49c320facc55b2ee379b2ce283be2d09389ab1f524a6d435b0f24f1671afe083

    SHA512

    34fd58195a42e0585aa3de59fa3443be38060a6687844b5b23251dcda28b3d4bafec6c28ec09c2a00ef768ee5717fe8b1eb59a382c635838f3ee878b24516f5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA095.exe
    Filesize

    15KB

    MD5

    a758bbc1f2ea31d894a0f9258ef3c227

    SHA1

    77b7ccce5c9d50f662ccef3537bd0320c8082d84

    SHA256

    2c6826a49933125132c5f399528748fbe77dccf192cc150b39dd27d0480b8d2d

    SHA512

    0ebf07b6a024089eb2e8e6baa209042671966d440991976e678c8376cc9a3fcb4c80c1d7ddf2c9d824843509db8c124df05c15e81d6992b5da6a1fc1fae12022

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA832.exe
    Filesize

    15KB

    MD5

    f68b8c10a6593f4bbc181086ee9e6913

    SHA1

    09a714666be75f124abde39ed9a56c53d1c7a59f

    SHA256

    b3acd0f27bee4a5321d5269bd0cfbea2745f6753b3eaf14af59dd2535841b88c

    SHA512

    963d697dae0c1ff20b4e55a1b288c197cba9d396e23abcef651bc7fe8ecd9d83328c88306cdbc9ee8be22a23f9677a8775a4442b49aabad55abfc518f8938767

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMF8B8.exe
    Filesize

    15KB

    MD5

    7abafc58fb015035e4cab005caa90f08

    SHA1

    8045073f2fbd21938182dc2df234e1c5b399ee25

    SHA256

    325f23846f55dc893b381e3e4bbe95d22b2f072a513ec4367aa612321b0e9c97

    SHA512

    b868d25b3c7f0421774b7b1792d6314f2fc7770386801c715de463e1ee21b8b2bb525a4c3f9e7739e3fe1c59c328adbc13ddb0b6773c43153e02a1f668a3ff27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMFFA8.exe
    Filesize

    15KB

    MD5

    5dbc8ffd7a9052fc5bd6eed4ba7162ad

    SHA1

    f49644dcfa375ea814fac8189923c17a0d262b0b

    SHA256

    a8002e65c489594e173bb66710fdc17d8407c553366bf90a8ec008170f5da18d

    SHA512

    47819d1aa4193757b8ba174144afd410d9b08088d5e69332eab582ed3fa367e7147b20387ae6767a0510149c8da678ccef40d557d722f71b67df819192091e82

    Download Submit