6f6077fd419345d0cadec8ec5ddf13fe43ecc6faf492a43a244363bb005020ee

General

Target

b0b457433352200c9269a12a1e696e10.exe
Size

14KB
MD5

b0b457433352200c9269a12a1e696e10
SHA1

43efa9a23d97b896d0775329ebcb1bcc4b7f4f51
SHA256

6f6077fd419345d0cadec8ec5ddf13fe43ecc6faf492a43a244363bb005020ee
SHA512

4cefd36a436ec8a88098d6d8cc9a0794eabb0bd3a4d1b61494f7ec410a959bb52e3670ab53a81e2c009ee7cb02ff381d95a99da5a1d56e90faf31995dc260a0a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhL:hDXWipuE+K3/SSHgxF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	b0b457433352200c9269a12a1e696e10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEM544A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEMAA98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEMC6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEM56D5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEMACD5.exe

Executes dropped EXE 6 IoCs

pid	Process
1564	DEM544A.exe
3028	DEMAA98.exe
3068	DEMC6.exe
1628	DEM56D5.exe
3200	DEMACD5.exe
4068	DEM2D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1564	888	b0b457433352200c9269a12a1e696e10.exe	95
PID 888 wrote to memory of 1564	888	b0b457433352200c9269a12a1e696e10.exe	95
PID 888 wrote to memory of 1564	888	b0b457433352200c9269a12a1e696e10.exe	95
PID 1564 wrote to memory of 3028	1564	DEM544A.exe	99
PID 1564 wrote to memory of 3028	1564	DEM544A.exe	99
PID 1564 wrote to memory of 3028	1564	DEM544A.exe	99
PID 3028 wrote to memory of 3068	3028	DEMAA98.exe	101
PID 3028 wrote to memory of 3068	3028	DEMAA98.exe	101
PID 3028 wrote to memory of 3068	3028	DEMAA98.exe	101
PID 3068 wrote to memory of 1628	3068	DEMC6.exe	103
PID 3068 wrote to memory of 1628	3068	DEMC6.exe	103
PID 3068 wrote to memory of 1628	3068	DEMC6.exe	103
PID 1628 wrote to memory of 3200	1628	DEM56D5.exe	105
PID 1628 wrote to memory of 3200	1628	DEM56D5.exe	105
PID 1628 wrote to memory of 3200	1628	DEM56D5.exe	105
PID 3200 wrote to memory of 4068	3200	DEMACD5.exe	107
PID 3200 wrote to memory of 4068	3200	DEMACD5.exe	107
PID 3200 wrote to memory of 4068	3200	DEMACD5.exe	107

C:\Users\Admin\AppData\Local\Temp\b0b457433352200c9269a12a1e696e10.exe
"C:\Users\Admin\AppData\Local\Temp\b0b457433352200c9269a12a1e696e10.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\DEM544A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM544A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\DEMAA98.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAA98.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\DEMC6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\DEM56D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM56D5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\DEMACD5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMACD5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\DEM2D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2D5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2D5.exe

Filesize
14KB

MD5
68e63955208fcaa12a27a8060d020afe

SHA1
e3e5a57301633dbc48645c7e29d0975d7112211a

SHA256
c62af7491742d920151df57fd7e68c75927ebe4f21a9b7ece99d1c61567ed48f

SHA512
f493fa6670bf93a00cadd8ad9bf150a8ca6bb4d66aa3bbd1bde86be29cf609c0fbf52b96d0781e195d2ddc4230a9bc5fccaae980d1d992399bf11c4e511aba54

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM544A.exe

Filesize
14KB

MD5
1bc1f6659d14bc832a86146f594cd4b4

SHA1
694b90d03a370094ea8935ec433c3b87255c93b9

SHA256
7b44d34159adedb274f4d2d6b5e0dbdeb337847d2a00050491e5648e4f6113b8

SHA512
42b90ebf24f858cf36f0996b2d66a379e176033625da922c7384e390f52e6a1b972626b115c0a47874f4dce3f245ab47add947cb60f103e368954a39bf215321

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM56D5.exe

Filesize
14KB

MD5
d9ac74651ddd5d375e80a125e894727f

SHA1
c061facfa0c0d11f5e7cbb64791188dc923922c0

SHA256
97f3b90c41f0f3c9aacdf0faa71ef76ecb4930cf37b16ad11484f9756c6eaaa1

SHA512
ba0e4c79879664b075312a6ac539fa64e053d975250c1650e91be1cf48d5f83714130dc3d4f770b6cb94f7eeea45b81403ef4252130b184a0d5a16582003863f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAA98.exe

Filesize
14KB

MD5
5c6d08cdbc1001bea5f33f487cde438b

SHA1
8ee98f368acc460d43787625148b6f88edaddebb

SHA256
f528a3ec6270623c0fe3a28ded3b308af1f10335e38af4d31e988b03b467a098

SHA512
00e9251be837131e2e1876c07132063d46d842c305aefe42ce787eba182baa17371c97aab5d7c0a057ffe0da30ee797bc9a52cd60cf301157f50998382c482ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMACD5.exe

Filesize
14KB

MD5
0410ccdf7131e6e0c36d18d478296088

SHA1
fd7e03eb73cdf42900955795829edaef3558c8a2

SHA256
52d9d2c12aa5c596b2fd36d0257fac8b36e84cafff3b8f9c82e79c2d7f031bc8

SHA512
d2403295f0d147b41e9c03cd71a95317edd7d7a97098e9bfcac6f50313cc975d5df77d2b9830053f3c418d892f7ceffb6c99a278897e1fb292b4c4f22c96e83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC6.exe

Filesize
14KB

MD5
f2c3ff5ae82922515e48eeb16276f35c

SHA1
811718f6d256af8b8dcfc7d632e8f99f8d63457e

SHA256
7266bd081a3a989b3682e3d60b0753e397ed55c338e5f34a2f94b45479d05a12

SHA512
e8b36d0fce25ba9545877ccaa5f7a84adb9111621b68b368c480ace89d4c3b50930fd345fa128894b4d48dbd7c2f02373459f3bf129185cf3b1129c3c8160cbf

Download Submit

Analysis

Sharing