6d710306cc0317773ccdd1e6179efd62aa5c83cbb4b221091418f82084bccb98

General

Target

0eb1c7172dcf63af5cadf78e6ee579b4.exe
Size

14KB
MD5

0eb1c7172dcf63af5cadf78e6ee579b4
SHA1

0b68a57e44ef67c8d539ae01e651905f5990d22b
SHA256

6d710306cc0317773ccdd1e6179efd62aa5c83cbb4b221091418f82084bccb98
SHA512

3eb01de45f5569ab62ea25caf9e4acfafae4f9b5337a8c0030005661dad3ffc3c1f28d19ccd8c4553e4775ff3f440cf9f852b8796c03b96929decc915432560a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRGb:hDXWipuE+K3/SSHgxg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	0eb1c7172dcf63af5cadf78e6ee579b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM63EA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMBD35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM143F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM6C51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMC426.exe

Executes dropped EXE 6 IoCs

pid	Process
4868	DEM63EA.exe
3044	DEMBD35.exe
212	DEM143F.exe
1580	DEM6C51.exe
2400	DEMC426.exe
8	DEM1BCB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4868	840	0eb1c7172dcf63af5cadf78e6ee579b4.exe	93
PID 840 wrote to memory of 4868	840	0eb1c7172dcf63af5cadf78e6ee579b4.exe	93
PID 840 wrote to memory of 4868	840	0eb1c7172dcf63af5cadf78e6ee579b4.exe	93
PID 4868 wrote to memory of 3044	4868	DEM63EA.exe	98
PID 4868 wrote to memory of 3044	4868	DEM63EA.exe	98
PID 4868 wrote to memory of 3044	4868	DEM63EA.exe	98
PID 3044 wrote to memory of 212	3044	DEMBD35.exe	100
PID 3044 wrote to memory of 212	3044	DEMBD35.exe	100
PID 3044 wrote to memory of 212	3044	DEMBD35.exe	100
PID 212 wrote to memory of 1580	212	DEM143F.exe	102
PID 212 wrote to memory of 1580	212	DEM143F.exe	102
PID 212 wrote to memory of 1580	212	DEM143F.exe	102
PID 1580 wrote to memory of 2400	1580	DEM6C51.exe	104
PID 1580 wrote to memory of 2400	1580	DEM6C51.exe	104
PID 1580 wrote to memory of 2400	1580	DEM6C51.exe	104
PID 2400 wrote to memory of 8	2400	DEMC426.exe	106
PID 2400 wrote to memory of 8	2400	DEMC426.exe	106
PID 2400 wrote to memory of 8	2400	DEMC426.exe	106

C:\Users\Admin\AppData\Local\Temp\0eb1c7172dcf63af5cadf78e6ee579b4.exe
"C:\Users\Admin\AppData\Local\Temp\0eb1c7172dcf63af5cadf78e6ee579b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\DEM63EA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM63EA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\DEMBD35.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBD35.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\DEM143F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM143F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Users\Admin\AppData\Local\Temp\DEM6C51.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6C51.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\DEMC426.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC426.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\DEM1BCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1BCB.exe"
        7⤵
        Executes dropped EXE
        
        PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM143F.exe

Filesize
14KB

MD5
ec9d2d85df859bc8a7892610398d2c71

SHA1
558d047ad080a28a8ec3cb5b8e7d864dfbfb3b0b

SHA256
7db00d6e913c4469ec361332ab2d0c404b807c8166d90da9b9e4059d76c62672

SHA512
66c0a74b6fc086b0881ce029dcf381c1e9b4aa1b990ded658e95c704a570758a242972b5a1ad2bad2f6179661df3e8925eca7bc45a2fdf8107b7799500ee66f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1BCB.exe

Filesize
14KB

MD5
ef986ff4853366f297256b698ffbd244

SHA1
fdb769cb8bfcbf1376e345cd30c12fc782aa6ac4

SHA256
5ad19e39804711d2158bc68626aeec642617f88de0e367474a8a00dfb09c7f13

SHA512
8da6026a31072eaf086be99cb02eb571cd0e7be0fcf99a853412819c9d2cf7d581b9f200afc40a9cf25c09520e16d41828138b9d22c9770e6a809b28cdcd6aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63EA.exe

Filesize
14KB

MD5
1e066dff4d19c05f9f1fb58528871025

SHA1
5f1a6add259f16bd027e45861f44901b3f809559

SHA256
3ee4d81bf243a402ba4b936fed443fdf40ebe56922604f0a566191ea4f4b20a1

SHA512
201f91d1d6133adb163aeb183b6dd823bc4be0cd7e26fb74bcfb3d149edaaf20f3babdf4198d55c1c279656ddf5019cfe52e05d6466f16555e9a245771066c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6C51.exe

Filesize
14KB

MD5
d24b91656f39b9ca6466ff4b66958a4d

SHA1
a09d5811a764e1972114744e9fca3218fb030ef4

SHA256
71a75e9d969d087cf26ebd61992ba8058b50457ec449c6a88161d36ba865227c

SHA512
15c78c4ca6f14eeab8def62f2c86bd87b3a833fc0360ffc07a3cff24584419b41177cfb36d775a79aa02423b1c4dc87f94a225cc70bc58987e6780d52de467ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD35.exe

Filesize
14KB

MD5
8823b539abdc6f24e2033fc8cb2e7af0

SHA1
ca5908e6c6d6bc3ba6927060aa688523d059f0f9

SHA256
96da8748fb27e4909b530c3afb7a87559c3bef2b49e85f0a97a0fd5590cd613a

SHA512
a10d64097f4597ae10f0d5d42ec11f0e94b8223adf1e8101c1a36d07bf1dffe9ae1b218e70c247532cb7cf0ec288de64fd9dfa653ff4dd9bc5039b6b4506793f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC426.exe

Filesize
14KB

MD5
de85932d4dbb297c2046cc2b5b1050d4

SHA1
b6d401c7595ab1d844841021a1898da4965e48bc

SHA256
086900fd35664d5c17629437b1291eaec87624d904c1a884db6b07deace61377

SHA512
8261c1146eda0fd3cb1e314e9110d0ca880461df330d87dce63805adb0aa3b664b3b7570f7ea12981cf9e797e807086773707e6f4597c606f066accf3af52160

Download Submit

Analysis

Sharing