eda7d25ba46610a964877ae1536922f3cc2fdfad7e3786e4d51ebde6cf103ca4

General

Target

b05ed7572f180c53430cff8ec6fa600a.exe
Size

15KB
MD5

b05ed7572f180c53430cff8ec6fa600a
SHA1

31647edcc5e4237fc460816625e7e3e3fc7ca2c6
SHA256

eda7d25ba46610a964877ae1536922f3cc2fdfad7e3786e4d51ebde6cf103ca4
SHA512

a3ce7f2aef6d469c0721fab450c22cb639d36b4c12bfa713504577862fe86d09ea5b9f5bc5a1250a379567cd1fcb1351af5e23ee1fe69b9138c40b5229c70ba9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxk:hDXWipuE+K3/SSHgxmHS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b05ed7572f180c53430cff8ec6fa600a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMC7D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM2083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM7829.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMCFED.exe

Executes dropped EXE 5 IoCs

pid	Process
2472	DEMC7D4.exe
372	DEM2083.exe
2696	DEM7829.exe
3816	DEMCFED.exe
4460	DEM2783.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2472	2760	b05ed7572f180c53430cff8ec6fa600a.exe	94
PID 2760 wrote to memory of 2472	2760	b05ed7572f180c53430cff8ec6fa600a.exe	94
PID 2760 wrote to memory of 2472	2760	b05ed7572f180c53430cff8ec6fa600a.exe	94
PID 2472 wrote to memory of 372	2472	DEMC7D4.exe	96
PID 2472 wrote to memory of 372	2472	DEMC7D4.exe	96
PID 2472 wrote to memory of 372	2472	DEMC7D4.exe	96
PID 372 wrote to memory of 2696	372	DEM2083.exe	101
PID 372 wrote to memory of 2696	372	DEM2083.exe	101
PID 372 wrote to memory of 2696	372	DEM2083.exe	101
PID 2696 wrote to memory of 3816	2696	DEM7829.exe	103
PID 2696 wrote to memory of 3816	2696	DEM7829.exe	103
PID 2696 wrote to memory of 3816	2696	DEM7829.exe	103
PID 3816 wrote to memory of 4460	3816	DEMCFED.exe	105
PID 3816 wrote to memory of 4460	3816	DEMCFED.exe	105
PID 3816 wrote to memory of 4460	3816	DEMCFED.exe	105

C:\Users\Admin\AppData\Local\Temp\b05ed7572f180c53430cff8ec6fa600a.exe
"C:\Users\Admin\AppData\Local\Temp\b05ed7572f180c53430cff8ec6fa600a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\DEMC7D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC7D4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\DEM2083.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2083.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Users\Admin\AppData\Local\Temp\DEM7829.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7829.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\DEMCFED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCFED.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Users\Admin\AppData\Local\Temp\DEM2783.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2783.exe"
        6⤵
        Executes dropped EXE
        
        PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2083.exe

Filesize
15KB

MD5
82364ac97e66341118962684df534040

SHA1
d502133ebdd6d6c4c430ef19ce93ebd9f1617ac5

SHA256
3aafb213438c220b6e936c71d947edbb45358029f0f0e41697b6cd3351da3651

SHA512
06cb2b534a1f43095e7ff5740a5d9eaf8edd1041e9af1927b713bf413ae18c05818367d382311fd2a61c5cc5ebed2f3bd3eab144a6d320cc0dfd94990629fa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2783.exe

Filesize
15KB

MD5
70918cb29fd48084b6020945d9129024

SHA1
4079794578d19ce25bb655b3d484c5406bd1e9b0

SHA256
853ceed1bf25ffac74e054f388ced38c9bf1f3eb5ed44afb62e5aec7a53ec13c

SHA512
b33daf3233dc770624787c3cc4273845c72e77f7ab038c9837a719d35f9e1acb3f9241a2b30c5afd07d08db432a64e7ead782dc342a85ff6297d77bda951e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7829.exe

Filesize
15KB

MD5
615163788ceb99073ae7259477a8c23b

SHA1
7b078b12f9744dafacad1faf9a39c9b56b58f20c

SHA256
d52bbc626a9bbdb6e1d573ac17b2e48f72dd8ad23cc3e6ab68960aa4e8237fef

SHA512
850496e12102987575558ac4b08bff203ebe4d2945628fedd9cd67268938b0000185b7c54a34eeb3ee900ffb0afbce99447539a2283161133a67b91d709ec200

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7D4.exe

Filesize
15KB

MD5
0744982ad631d6d5a7e76ffc8582f4cb

SHA1
40c73af10af7dc99f870e0da14e95cf14084d91e

SHA256
0a868646b7d4892a619ced203906b12d35d76597a84eb1a596832a7e6fee2987

SHA512
824c1715efdb532603371cb1beae01051b8af6b148e37bc20933cfbe6c738bb196fefb6ba7e3d2d1cb26946e909a49362462fd047a7a9ef89c3e115f2448d36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCFED.exe

Filesize
15KB

MD5
9cf9a2f3deb468b50614b29245163f8c

SHA1
0fb9e26e0fcd6420496a0ec23f226e7bd6b326d4

SHA256
5a8fe8af8426f80d0e0a3a722e7c590d5a2168463ddaff1bdbc0f20c8640f0b4

SHA512
b0af441fe7db2b70ece2caecc4e9c36c1f906a593e2523e1e6d81e5a159040f3d824ce4d63b932a91e8779bc84abbf923d8614ff6ea30ff64ebe12244752c85b

Download Submit

Analysis

Sharing