c14eaee7b5a694c5d5f40ef86e9a93460d1f8fa237032e1fa164d3544b90b0f2

General

Target

066adf9821b72c35fc97485a36fe9595.exe
Size

15KB
MD5

066adf9821b72c35fc97485a36fe9595
SHA1

2383c02e2d87c102eaccecf6d2297d8f700dbc1d
SHA256

c14eaee7b5a694c5d5f40ef86e9a93460d1f8fa237032e1fa164d3544b90b0f2
SHA512

a5d2ea492f88b7271293b51b29195aee72075503ecf98839a6487db7d9d1fa757a2bc6a50f0e60178184b6f9b061b3f00c45c6567215163ed3c5f71e75104197
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6u:hDXWipuE+K3/SSHgxmyh6u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM6580.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMBDE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM13D1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM6A6D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMC157.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	066adf9821b72c35fc97485a36fe9595.exe

Executes dropped EXE 6 IoCs

pid	Process
2816	DEM6580.exe
1724	DEMBDE1.exe
2052	DEM13D1.exe
3864	DEM6A6D.exe
232	DEMC157.exe
1680	DEM18FD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2816	1340	066adf9821b72c35fc97485a36fe9595.exe	93
PID 1340 wrote to memory of 2816	1340	066adf9821b72c35fc97485a36fe9595.exe	93
PID 1340 wrote to memory of 2816	1340	066adf9821b72c35fc97485a36fe9595.exe	93
PID 2816 wrote to memory of 1724	2816	DEM6580.exe	99
PID 2816 wrote to memory of 1724	2816	DEM6580.exe	99
PID 2816 wrote to memory of 1724	2816	DEM6580.exe	99
PID 1724 wrote to memory of 2052	1724	DEMBDE1.exe	101
PID 1724 wrote to memory of 2052	1724	DEMBDE1.exe	101
PID 1724 wrote to memory of 2052	1724	DEMBDE1.exe	101
PID 2052 wrote to memory of 3864	2052	DEM13D1.exe	103
PID 2052 wrote to memory of 3864	2052	DEM13D1.exe	103
PID 2052 wrote to memory of 3864	2052	DEM13D1.exe	103
PID 3864 wrote to memory of 232	3864	DEM6A6D.exe	105
PID 3864 wrote to memory of 232	3864	DEM6A6D.exe	105
PID 3864 wrote to memory of 232	3864	DEM6A6D.exe	105
PID 232 wrote to memory of 1680	232	DEMC157.exe	107
PID 232 wrote to memory of 1680	232	DEMC157.exe	107
PID 232 wrote to memory of 1680	232	DEMC157.exe	107

C:\Users\Admin\AppData\Local\Temp\066adf9821b72c35fc97485a36fe9595.exe
"C:\Users\Admin\AppData\Local\Temp\066adf9821b72c35fc97485a36fe9595.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\DEM6580.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6580.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\DEMBDE1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBDE1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\DEM13D1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM13D1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\DEM6A6D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6A6D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\DEMC157.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC157.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\DEM18FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM18FD.exe"
        7⤵
        Executes dropped EXE
        
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13D1.exe

Filesize
15KB

MD5
f34c2eab12cbed70465f21f328bba5e5

SHA1
e22e33e3957b1447b59913122b14357486abbc6f

SHA256
48a473f00889634db177ba3966a69db5381f5f0a3a3d9406c13ee5d5edfa6982

SHA512
68eae9b0069525b6f14fa095bbccf42b799f99729cb26e84a3dd092568690bc3ec300ebc980f22cc63920ec7577c63ee0f756d346f8d941a31970823e287f872

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM18FD.exe

Filesize
15KB

MD5
892440d1a152c29e84f604f3dd33cbd9

SHA1
ace916561cf66988c5a5c2ce28a5bb30c3dfe2c9

SHA256
9af2f9d44b5acdc1903f4a321b11aef4c5fc3f087e3f18f44aca9439a662e190

SHA512
277ec75ce004958613166c6d5fd9daf582eac91e4b19a09606d636916f5a85bed2482c21ccd6f930211b2e2149db8e8e0115f4303f34dd104533bec2835e9bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6580.exe

Filesize
15KB

MD5
f3943e1894f5d44b4bd4eb73e808969c

SHA1
48561e0ffdb36fc3a0dacf39272be7e76079136a

SHA256
12803b4f273905c440abd0b50d92b54b94d8d9e29e9df59c463b46e05e999f9a

SHA512
5b64836518de75446567ec1b29040247be9c63b5c5f3ce586911d004b167e66ff92771194628ef60fef3abff6a452f08e19ce791fb8a08332a8649d77c2e9144

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6A6D.exe

Filesize
15KB

MD5
189f722fa4e36fb053578ec21eec429d

SHA1
bbcc452a1760244a2baea6ce158156e3b1e7b25c

SHA256
197af92de40fe58ba2e2bd1229ab3a7aa199c0218d2b48657c60952bd748c5f1

SHA512
8288154a693a9377a96c714ccd9481d3e46efba1e85143a29b3d5e87bfe648eed856cdf8e7600d5f02d7633343f6889c053ce97f4d72e583dcdd75d7255bec24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBDE1.exe

Filesize
15KB

MD5
ad305b43ade10fe328f6baa953235359

SHA1
cf509ba9987e72b9094d69b547ec3f4ed96511c0

SHA256
603246881a2ecd501a655e4bae40e169ab36b1dfa15e321d67dd0ddfc688e8f5

SHA512
aab238b42c2c2e13c0f8ad352e3be2eb87020b7709a9f1a01e6697b6376deeec20b7d9e254ae1fbe93afc427c75813fe049fab0094624303c86ecbb05912ebdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC157.exe

Filesize
15KB

MD5
8433a063f576f9debe95bc4e8e70e322

SHA1
2365eea282cee8fe88cac60cc002938e60f514be

SHA256
7e5b573242be3d02d8a0fad12258465e059f1fc6eb0165babb3d22fc0789c955

SHA512
a3fa8cd01f50a9a41e1ba3306adaa558ddfcd221a9e72eb36bfb20b797d71081dfb4dd4a599d0f6eee9a687843994591aea6fc7faed0e29606f8a19a4198be95

Download Submit

Analysis

Sharing