0c70ec33141de471baffa3fe201fe16efa71ee9bef0c47e2fe5b7683fc98aafc

General

Target

b071e50327aa015e103905e24f4e8ecb.exe
Size

15KB
MD5

b071e50327aa015e103905e24f4e8ecb
SHA1

05ed7fe20a1f6e06048bcf5e4248e35aa33eb91d
SHA256

0c70ec33141de471baffa3fe201fe16efa71ee9bef0c47e2fe5b7683fc98aafc
SHA512

6d0b10546baaec00ecd4327bfe5fc18ac8c50be44bd539fb4e00cb7cdf4e8def7f9ae69ea50d2e78100f4d51a7b4dc92f18ca0bff2a848e122fa9a4b9773e67a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4V:hDXWipuE+K3/SSHgxmE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEM5956.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEMBB6B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEM1F84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	b071e50327aa015e103905e24f4e8ecb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEMF5.exe

Executes dropped EXE 5 IoCs

pid	Process
2684	DEMF5.exe
1388	DEM5956.exe
2288	DEMBB6B.exe
4300	DEM1F84.exe
2224	DEM771A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2684	2060	b071e50327aa015e103905e24f4e8ecb.exe	93
PID 2060 wrote to memory of 2684	2060	b071e50327aa015e103905e24f4e8ecb.exe	93
PID 2060 wrote to memory of 2684	2060	b071e50327aa015e103905e24f4e8ecb.exe	93
PID 2684 wrote to memory of 1388	2684	DEMF5.exe	96
PID 2684 wrote to memory of 1388	2684	DEMF5.exe	96
PID 2684 wrote to memory of 1388	2684	DEMF5.exe	96
PID 1388 wrote to memory of 2288	1388	DEM5956.exe	99
PID 1388 wrote to memory of 2288	1388	DEM5956.exe	99
PID 1388 wrote to memory of 2288	1388	DEM5956.exe	99
PID 2288 wrote to memory of 4300	2288	DEMBB6B.exe	100
PID 2288 wrote to memory of 4300	2288	DEMBB6B.exe	100
PID 2288 wrote to memory of 4300	2288	DEMBB6B.exe	100
PID 4300 wrote to memory of 2224	4300	DEM1F84.exe	102
PID 4300 wrote to memory of 2224	4300	DEM1F84.exe	102
PID 4300 wrote to memory of 2224	4300	DEM1F84.exe	102

C:\Users\Admin\AppData\Local\Temp\b071e50327aa015e103905e24f4e8ecb.exe
"C:\Users\Admin\AppData\Local\Temp\b071e50327aa015e103905e24f4e8ecb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\DEMF5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEM5956.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5956.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\DEMBB6B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBB6B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\DEM1F84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1F84.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\DEM771A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM771A.exe"
        6⤵
        Executes dropped EXE
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F84.exe

Filesize
15KB

MD5
d151fc874786712e5ed44919e4a8e550

SHA1
16e8da46b7844154d0b356275d51e42d91d48a95

SHA256
7f25a32d9af98d0bd0b9f4b53f7cc1d62dd348a34be182b3a7c8024bae21f8f5

SHA512
65cefd26a101af1262920736d41d7865b9909e6474d978da97043086d488cd208b1be3f3b32e461ae8e4bb2033c15bc0b0594cf05ca0d63f0c347c4535ec595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5956.exe

Filesize
15KB

MD5
a63346fda3d28f1c27806c06464c5693

SHA1
94085233be13c7396f574936630069e870f17bd0

SHA256
f47c709fd212f807eae8152f0a1c3887d9a7561f7047efe2a057e2355f9ca584

SHA512
ec1f5597c0319fb061938ca46a4159bf90785d1bd6ca7397b79480980776a70e2bfb890433da00ff18afae8e59f0bebb3d8fbb5d83a2a651419134b6bc16f1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM771A.exe

Filesize
15KB

MD5
0b4d32ad340384d8b8515c08b7ad03b0

SHA1
a3c2789b6e7669be2554dd1c622406c214081cb5

SHA256
acb17a540f9a9b22cfe72c91aca5d8401de1b0d3ff452a29541fca8113d56c9d

SHA512
0e68617d6de35354d54d8ee9f4171663e945bad583c2e83630794b5c31c98509ee9a55428c72e4fb6f9257bde0ba541ffc0480a12b38f267f8f53819dc6b3429

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB6B.exe

Filesize
15KB

MD5
af152120ad436cd4594b7e981eb87879

SHA1
05d6b07d7fe3de536317ba54ed842d358b5788ea

SHA256
64c0ce1065a58255228424c2b1c991317765812a71fb1ce3bd43e1002f53f503

SHA512
561adbd11c3a0e56214aee9638ed6c0e083264400598cccf47f7c87b9a4cf575ef24f18144c8da8703077aaced2f8273c0ebcb5211a60b0f1f8f39c11af839f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF5.exe

Filesize
15KB

MD5
8f6b2c518a217a187b281fedd7a98f46

SHA1
b4fb7bd65c009ae8bf8d5fbf5e22519655189327

SHA256
2d50eec0bf2a8e43314f526ff477bdde087b746d1155a396bd19cc07181e5821

SHA512
a6df192dd1bd599660982caca0a24b8bf5e1da6065c39dd8b314e7a22d08e77c7e7d6450f62cc6452c0501e967808c2072e0aea7c5cbbaaf1eacd5c2bd99523e

Download Submit

Analysis

Sharing