Overview

overview

7

Static

static

3

9c6d49bc04...b4.exe

windows7-x64

7

9c6d49bc04...b4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c6d49bc0434849338c7a26a67249ceb15aced2b3ee1e8cb9003c04b03e15fb4.exe

  • Size

    16KB

  • MD5

    2e229894f3234fa5cb3cd34dc009ac30

  • SHA1

    d3dfc8bcc28b15f4414a2d214f538b7e5c1d6daf

  • SHA256

    9c6d49bc0434849338c7a26a67249ceb15aced2b3ee1e8cb9003c04b03e15fb4

  • SHA512

    69745865cb34d1698231244952856eaee36c298f5931dafc5a6f6632ba3b603d13536868f280ccd897ed89baaa480c8eb4cf7955f7bee5c12f5ae782a89cf3fe

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pkzTb:hDXWipuE+K3/SSHgx4GzH

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c6d49bc0434849338c7a26a67249ceb15aced2b3ee1e8cb9003c04b03e15fb4.exe
    "C:\Users\Admin\AppData\Local\Temp\9c6d49bc0434849338c7a26a67249ceb15aced2b3ee1e8cb9003c04b03e15fb4.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\DEM7956.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7956.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Users\Admin\AppData\Local\Temp\DEMD040.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMD040.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Users\Admin\AppData\Local\Temp\DEM26DC.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM26DC.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Users\Admin\AppData\Local\Temp\DEM7D88.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM7D88.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Users\Admin\AppData\Local\Temp\DEMD452.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMD452.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM26DC.exe
    Filesize

    16KB

    MD5

    133e562abf2c9699cf8c4c97d742f342

    SHA1

    fa8cc1bbf2347ad63d9b48efa86ad916288f3ca7

    SHA256

    81f7672d7acfa693ce54f321e7338c0f6ed5f2858e21f514fff8ddc980057af7

    SHA512

    c0d2a080053b020827004eddc83f94de5e9aec790a79730ac126ef2490f6365489d6dc9fa96a4ee7036791596dd0f5531ec9b1804b608261c66210d64c762e42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM7956.exe
    Filesize

    16KB

    MD5

    d15b114832f3a21e5e6f561e7a710571

    SHA1

    75f6d46a70344eac40b01b4af1b37febf81fed4b

    SHA256

    bfad67f385727f21e46cbc030ab9ce92e28be692171f78a56b7d9f3690cc1811

    SHA512

    9b788abbbe401e86b6a94dc4e761a7e2e8dba4d4a3f0487ffa9a10d2f365ba0d9693ddb1d54b205dbda4a984a2fa999546f8bc3976e76e1ca3d98d6ed9315d24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM7D88.exe
    Filesize

    16KB

    MD5

    b59bc785347964d55d4924a468a3b140

    SHA1

    36a9ab0a7cb058be1778df5757f06538d6e649a8

    SHA256

    3b728cf3596944507d0c42519145bb545c2048ab1a1a516a03cb6c6de7ddb9f1

    SHA512

    4648cc7dcdfa9fa4bfab15b6d6ceb164f2cd10bb09590802b3badab6a1ac9b2aab5a3a082c4de231b638078711578a2b435b5b19dc4007bdd2f2414b8cad539d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMD040.exe
    Filesize

    16KB

    MD5

    d1c47aae44a9323e50f5038627cee99b

    SHA1

    69b425a39a311e538526132fc3132a10f1e9ee20

    SHA256

    683551a7c76230febaca31bcb5a972264e0ce9f1512841219fa68d5148f85cbb

    SHA512

    3544e1d2d8a6d37684fa18c4440440e9abd776d62fa56e34ca95195fb93cd93eb09dd002d3f41d5eee796e6984b645415a27918a648ee47379ff83500c280a93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMD452.exe
    Filesize

    16KB

    MD5

    294ecb4dac99ec1e5dccbc2a170d383b

    SHA1

    42453ba944c305674cf61aaaef95002ad0442be7

    SHA256

    6e70e798ecfbd95365852884ac30135a5ab3bcd940d2aa20c0ab3dcd54871567

    SHA512

    a6165e2d4f951cb751c3e41b815819fc07cb4f48a64674b56bf688cd2814ae991790798b40fc778aa203c579e20f6256f0492a70b4f57da99c1802f774591d68

    Download Submit