Overview

overview

7

Static

static

3

951c1997be...10.exe

windows7-x64

7

951c1997be...10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    110s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    951c1997be3e152be1d64160661d549e156cd159194bddbb56bdaf0476e80610.exe

  • Size

    15KB

  • MD5

    c19aaa16857dcee1b1926753c561aa50

  • SHA1

    ea763ca1ea9dd3b3e4b3697e069a2a8c9073325c

  • SHA256

    951c1997be3e152be1d64160661d549e156cd159194bddbb56bdaf0476e80610

  • SHA512

    78cf60556b854ee665dd0d728ea8575c5a6c083005a5705831c55b11469a2cd55f558bffac1fcdd0adc7fb1cbb36ae1aa2dcffdfa81a525f670224453afd5f52

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6E:hDXWipuE+K3/SSHgxmyh6E

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\951c1997be3e152be1d64160661d549e156cd159194bddbb56bdaf0476e80610.exe
    "C:\Users\Admin\AppData\Local\Temp\951c1997be3e152be1d64160661d549e156cd159194bddbb56bdaf0476e80610.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\DEMB8F0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB8F0.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\DEMF9B.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMF9B.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Users\Admin\AppData\Local\Temp\DEM65BA.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM65BA.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:392
          • C:\Users\Admin\AppData\Local\Temp\DEMBBF8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMBBF8.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4716
            • C:\Users\Admin\AppData\Local\Temp\DEM1255.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM1255.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM1255.exe
    Filesize

    15KB

    MD5

    af9f17bceeaa2a031b3c6aab0e859bb0

    SHA1

    c5b60a674379c9a4ce62d23d704ff26c7b9004f0

    SHA256

    0e25aae47d45c0dd244a6533052e21f8c2e3d0893a4bf9b59699f574484ac6b9

    SHA512

    45e21d6a2a5a1101ed66879c0573469e4360c16973711ccfd30a31ba9349adf490250e75b23c4a4ea802f609346d98f134663e2670b4531577a0cdbceb38b5f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM65BA.exe
    Filesize

    15KB

    MD5

    ed13624457caaa6514a959682bb07b01

    SHA1

    30b0f4b1ee640d0f1566c2420726e3421b785eb9

    SHA256

    eff69b3d2db021c22af8358b8fb74529915df52fbeec6a7d57b44756e8466ddf

    SHA512

    6df2dfae92f85ac02e6b89f06987593b15544edb74c3e0c5edc110058ea0ad42234f2af5d4736f5227b63ab9e589c73ba6c30f8532be8561dbac38dc0ce06603

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB8F0.exe
    Filesize

    15KB

    MD5

    f711f9d4a30d42e8b60ef40f7c1560ea

    SHA1

    92d137984b2491b7d3c323310a931b89e576facd

    SHA256

    48a92c550c43f09b41bb974b9033c1c697e6d1aba5889b9c875f2e67d186597f

    SHA512

    59d0e76f6d9569a6434927b06677fdb3088dc6ed619181543c9f1822a6d94f31b7934d8124ef6fe98f3fc2c2e67c32ba1efb01b2c4a99312cc00060c8b817b68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMBBF8.exe
    Filesize

    15KB

    MD5

    ea369dee882369182b58811842865ab0

    SHA1

    279fada1f1d544d3f7fae658a4498acdc4801309

    SHA256

    3720d4574d0a0d53835c6971ad9e6a949175e3e9934556e69dec57dbee87f8a7

    SHA512

    56dc5871c4cd6e646e99451966d5253f1daad58d0cbd16b4c9525a1eb8f70c4efc0b627bad6957d41d92f0960b21d41b0749eb21efd6fa8790ab8a2fa9b9ef49

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMF9B.exe
    Filesize

    15KB

    MD5

    0e8eba067d840e260ed2db449e39584f

    SHA1

    e55cf8eab5aa347aaafaeef56599a5debd68e6e4

    SHA256

    c4efb7eb69e3ce8283adb7a4504b63626aea98c23489b6adac760152ccb02095

    SHA512

    bf9be901db2dcbd8763b7b9a1a509de077671e2b3980aaabaee7bf42e51b616e7751a867f53dd94924ec7de83f097783be38e3cf8c7f5a67a13dea9631469f0c

    Download Submit