13cc67ae204709e07286e67c9403b8c4fa1073a4f5f9e6f2b480c89d411430d8

General

Target

108f29acdb106155c12b9474572f2c1e.exe
Size

15KB
MD5

108f29acdb106155c12b9474572f2c1e
SHA1

2db9892f3a6c9cc7d1e53912865c5e14603d7e36
SHA256

13cc67ae204709e07286e67c9403b8c4fa1073a4f5f9e6f2b480c89d411430d8
SHA512

7ad8ad262ef6c6ccbd42b43ddf17036bcadf8b67734e074b755bdca0f695c87085c8331a82c3f47de95b02a88bbd46435d24d1750536f9840c10ae233d420aab
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxX9:hDXWipuE+K3/SSHgxmHf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM90EC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	108f29acdb106155c12b9474572f2c1e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM4253.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEME23D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM3975.exe

Executes dropped EXE 5 IoCs

pid	Process
4268	DEM4253.exe
1696	DEME23D.exe
1620	DEM3975.exe
2768	DEM90EC.exe
4152	DEME805.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4268	3484	108f29acdb106155c12b9474572f2c1e.exe	96
PID 3484 wrote to memory of 4268	3484	108f29acdb106155c12b9474572f2c1e.exe	96
PID 3484 wrote to memory of 4268	3484	108f29acdb106155c12b9474572f2c1e.exe	96
PID 4268 wrote to memory of 1696	4268	DEM4253.exe	98
PID 4268 wrote to memory of 1696	4268	DEM4253.exe	98
PID 4268 wrote to memory of 1696	4268	DEM4253.exe	98
PID 1696 wrote to memory of 1620	1696	DEME23D.exe	100
PID 1696 wrote to memory of 1620	1696	DEME23D.exe	100
PID 1696 wrote to memory of 1620	1696	DEME23D.exe	100
PID 1620 wrote to memory of 2768	1620	DEM3975.exe	102
PID 1620 wrote to memory of 2768	1620	DEM3975.exe	102
PID 1620 wrote to memory of 2768	1620	DEM3975.exe	102
PID 2768 wrote to memory of 4152	2768	DEM90EC.exe	104
PID 2768 wrote to memory of 4152	2768	DEM90EC.exe	104
PID 2768 wrote to memory of 4152	2768	DEM90EC.exe	104

C:\Users\Admin\AppData\Local\Temp\108f29acdb106155c12b9474572f2c1e.exe
"C:\Users\Admin\AppData\Local\Temp\108f29acdb106155c12b9474572f2c1e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\DEM4253.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4253.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\DEME23D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME23D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\DEM3975.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3975.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\DEM90EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM90EC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\DEME805.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME805.exe"
        6⤵
        Executes dropped EXE
        
        PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3975.exe

Filesize
15KB

MD5
eaaf114355c5d42eb1b30fa4b7ab64bc

SHA1
a6f70217e9588fdec2c7e60eff235acf7d2f9ea0

SHA256
0baa4b5436752c838f37861db5e15007aa760b6cd176fe73d3b0c93b176d2bfa

SHA512
96c7cca86734362adf391a5470e891ba1385966a1047fcae2e9f8b3bfac42363d6df3d13a1e4bd64fce81c75da57c603aefe2b7c6ea79ad5f6f57fc753e41c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4253.exe

Filesize
15KB

MD5
ffa1f959d9f1e3dece423f3966316788

SHA1
cfcfc0efc2f5e24dd91676a7041dd36665121d0c

SHA256
57c11779bac56c4d559cd7387585435dfc39767ce2a0aa5c4be44f2413f9c09c

SHA512
63897c5784cf2b28d2173d36984541240864867ab1c4f0323ba5474ceb61238e3819b92108d0f0e636600a783bbf1e155e6dfa76c4f8f1a5cad65dd714de5a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM90EC.exe

Filesize
15KB

MD5
3810bc24e98eb5325aa4fbda63dc1f43

SHA1
bdca7a33814b44d80755ae26b42de7e363004964

SHA256
bedfb7558dbd3709d879e5cfb4bd2683e0d3d48610381f0d2ed5a3c970eb12dd

SHA512
37d6701bcd5841c34f07718fc9014e83c13272aaeee6d19fb44fd851705ff64cf493d4aba3da648d58d5d787c5419b47bbcc2b8ee78a0f3663edd3e29b98b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME23D.exe

Filesize
15KB

MD5
351b6ad61e1d2b53b1620643545de854

SHA1
679876b0408ae09580948a0ce1a9441068bf96dc

SHA256
ef68e1dc30ab20f83f03172930340960d1f58d2c0049ee7701554ceb8058035c

SHA512
b81cc49e66461dbfcaef5cf6944714fed14a39fdd2fa99a539efd3a3c2953c0148db11ac213dccd6f389e1b37f892874ac2004e7c0fce1e37e476345b9c47226

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME805.exe

Filesize
15KB

MD5
ffb6906b772673513f6ad670b3fe80a1

SHA1
d5ca7bf10fa2c4afbe39abb354f498932811cc8a

SHA256
33ab6d65d42e54894f6ac9d30315a7e97a76eb6ed38fa24c8240b0c4096b6e49

SHA512
4ca8a99dc73e52cd78ac19a573f8cb9f9072e6a32325d883de9641e46aa8cc59ea64c2114068630f627a0554d8e592d17ddc863abb358164aa76118a978c2d21

Download Submit

Analysis

Sharing