353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7

Analysis

max time kernel
44s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe
Size

14KB
MD5

151047a32ed0be72f4dc6d72a24ca30e
SHA1

93364fd943cf1b07e96e08fe80e9589b0c02994c
SHA256

353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7
SHA512

427b2c82eb7d80320dd0f901116b4d7f0199afd3f5929906bf2b34575fd02c6163d11a70823da68a4ab4251b27b0cef85e665e012d76f925b495aab9f80145c8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRUqtY:hDXWipuE+K3/SSHgx3O

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	DEM829D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM829D.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2304	4916	353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe	95
PID 4916 wrote to memory of 2304	4916	353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe	95
PID 4916 wrote to memory of 2304	4916	353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe	95

C:\Users\Admin\AppData\Local\Temp\353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe
"C:\Users\Admin\AppData\Local\Temp\353b9d0f3894c1abbd7d72938d331d70a06c9cab70704d97d3ed009feb9d41f7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\DEM829D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM829D.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\DEMD8AD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD8AD.exe"
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\DEM2E2F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2E2F.exe"
      4⤵
      PID:4956
    - - C:\Users\Admin\AppData\Local\Temp\DEM83A2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM83A2.exe"
        5⤵
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\DEMD925.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD925.exe"
        6⤵
        
        PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2E2F.exe

Filesize
14KB

MD5
3e8e8e33e268d152cc5edbb2d40c2e45

SHA1
b540d8b88c7d79351f95dc950ef94ad3dce332df

SHA256
5be1c073b67b6d636edac6ce73aecc2a06240f3c865f50e5159ec6b44bc4eb69

SHA512
d49a601c449bf55f8a1024e23263d8b016af5ba1df3734247f4d6ce8dae3817582cde866e8fc32625886cc02e75255f42d0f1e989061e8a3ebdf043b2e6f4e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM829D.exe

Filesize
14KB

MD5
6f748bf2871f338bf1d4a6c056cd47da

SHA1
93c7f6e057b6b1a989e69a0519fab26d897ff05a

SHA256
f032e8a520bd57891c62a9299fdacc8105ec097edd7303307b763df4a750b4fa

SHA512
ff14c97245c9b56eefbd9d2551edd729cd296b3ca51a51a209c89cace4d6678df882b2c3761c95cfc6466e1eb82749221d46be3e924bd035b649af9f886e3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM83A2.exe

Filesize
14KB

MD5
0e886de8cf9c7405cb5fedf5707b615e

SHA1
7e6a3f9dd7b0abca86ea625789906bbed49c4863

SHA256
d93236bc6c6694d842a6748c9d40842a39c88d8de182f1990d7092cae33a50ac

SHA512
8451a0b2b860b2f3ad303da7733e0504edabe6139fa74b11eb5d37506d5d91ace562f5a3be81d452fe91c7bd10daea54281a550f736e79c26271c80214605f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD8AD.exe

Filesize
14KB

MD5
a28ff6be69bcbc9b97f0aaaeefc1862b

SHA1
beed32ffbe3afc7e7fd0fc60f35841dd43541fbe

SHA256
cb3c70aa3f62d35b3722c0d318b1c6016fbd486c298972b7a77e253ae7b510e5

SHA512
5936bd35671fbd7bac3275f4bde7c54d7d416e534a6d77aaaa5d5b47245b8b42d68e335f90b87f5498b68ad0425aa249a9debc2e467bb3e93dd5405dea4e8562

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD925.exe

Filesize
14KB

MD5
12e2fde6694b04af23ff5d58be40e669

SHA1
d6ca6a11e4135ebe34b95e0ca868830dcac54388

SHA256
9d0750e21701f7f56a65bd60361166ee84bbc0ef06031dcf88df90c4c731a210

SHA512
6277fc50b811587970a2d41ac7056737de7ddf558f1e6238c8391e1618dac866acf9d4e6bd41a7d628221ed8f6a4525ad978f64f86a64bd5b5d04251b563e891

Download Submit