Overview

overview

7

Static

static

3

94da95e6ae...d3.exe

windows7-x64

7

94da95e6ae...d3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    112s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe

  • Size

    16KB

  • MD5

    5427ac54feee09db3183e6fd6f368563

  • SHA1

    3bd051eb7698fcb43c9bdc40ba0931ca835fe410

  • SHA256

    94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3

  • SHA512

    49d79300e4b78f69be4fc362161d2f1175a29160bbe21a21ff97b2b8a488a24385d61b57ba105f0335aa059e358a816cedbaeb5bb00131572df397f029bc01d5

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0FY:hDXWipuE+K3/SSHgxm0m

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe
    "C:\Users\Admin\AppData\Local\Temp\94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\DEMAD28.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAD28.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\DEM53B.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM53B.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Users\Admin\AppData\Local\Temp\DEM5C92.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM5C92.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:876
          • C:\Users\Admin\AppData\Local\Temp\DEMB39B.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB39B.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1936
            • C:\Users\Admin\AppData\Local\Temp\DEMA85.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMA85.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM53B.exe
    Filesize

    16KB

    MD5

    4c286e5cb36591fc98aa34182aa56fa0

    SHA1

    3d78941ce4a4f0bd4e700ef6f1061b45ede5f829

    SHA256

    958e099bfc960332515c2c3e4fb755bf80a1ddc48c425e5f956cc902323b43e6

    SHA512

    bf7d9ad2b600526c21a6e09462067601aa5e79a846aa93b2186342382aab2825b282c0f347fa553db8b18fc22d88c476953e1b7d68b71461a1c25f6e8ee57d03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM5C92.exe
    Filesize

    16KB

    MD5

    464852696686b4f66595df27ba3ad5dd

    SHA1

    0d7c857918f913005d99eeabf07b7213b4e86fa9

    SHA256

    378a43259664ab3bfd814056490751a19c10b5934311b5512c0b2fcb885e73d4

    SHA512

    32230396d5ae83406959b95c779e8d6761d7e412d68723494afd8cc68b85cf1445f28f74196ed32407646dc714c68460968a7ec20f12dfc701b2a4ecd58c87ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA85.exe
    Filesize

    16KB

    MD5

    c37a4811fc2a1f6d758a397cb1bbb2d3

    SHA1

    4b5dd15473578f79bdb1ad349ef2452214cd29c2

    SHA256

    9cec67a4c3ff29d07765958fd466be1f007389cb9fb525e0a3687d5177030efb

    SHA512

    d7741f1862d602037c0472e645b0fee5a0f3fbd1f972baa32d29f40c4afe5c5c9c4c7052f08459248180eea6da5dd9865edad8ee2866da3e8ae825ea0cbfab1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMAD28.exe
    Filesize

    16KB

    MD5

    1b5a255d476b46041fe1860e4d17b6b6

    SHA1

    b2a9500337bd7e2c794e5241a6334a8f8baec283

    SHA256

    855d23b482fb440068981202bf1afce7af083929c3859ac26bd01d8918c486e6

    SHA512

    194763f2a72ee6e107331fe329f77d80d3a5c886ef15bdd2f600bfdb02242ddbf9a30127ebfa5626ec5bd95cd097a98db271fc22165e6d33143f2e1023c58ac8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB39B.exe
    Filesize

    16KB

    MD5

    c415e0679eb6482207ff4efaae27bbd2

    SHA1

    0a26ed19b21b9ee524275775c51fa61120d3dc53

    SHA256

    db09ca4f6818698bced3bfd25cce3bd5dae631866a851a03787d2f85ac7161dc

    SHA512

    1be41b44c078073d7feb64a052d97d439306bf5f27c46edb9f5d698a2fc75f738983958f66c5c52213572d64cfd370bbd7334ed92aaae0d27dadf6130f59f21f

    Download Submit