5534afaae1cdce2698b89857d8c50a20c1e222580982c079790832eb6347f29e

General

Target

0729b46c674e592c4e9bea61de5ad2bc.exe
Size

15KB
MD5

0729b46c674e592c4e9bea61de5ad2bc
SHA1

2593cd2d53f36276668106a3c21ef78bc4a483da
SHA256

5534afaae1cdce2698b89857d8c50a20c1e222580982c079790832eb6347f29e
SHA512

d4f4f945ce273d9cdc5c381fa1adb300ab9a6cf01a68e38d40ac5b33604bb222cc3b4aafa267ff8c3f554ae5561ff3488ba4c43606ee870115bc4809bcd732b0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+LE:hDXWipuE+K3/SSHgxmHp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEMA652.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEMFC42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM5270.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEMA88F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	0729b46c674e592c4e9bea61de5ad2bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM4FE5.exe

Executes dropped EXE 6 IoCs

pid	Process
4884	DEM4FE5.exe
2624	DEMA652.exe
1936	DEMFC42.exe
2224	DEM5270.exe
4768	DEMA88F.exe
4456	DEMFE70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4884	4664	0729b46c674e592c4e9bea61de5ad2bc.exe	95
PID 4664 wrote to memory of 4884	4664	0729b46c674e592c4e9bea61de5ad2bc.exe	95
PID 4664 wrote to memory of 4884	4664	0729b46c674e592c4e9bea61de5ad2bc.exe	95
PID 4884 wrote to memory of 2624	4884	DEM4FE5.exe	100
PID 4884 wrote to memory of 2624	4884	DEM4FE5.exe	100
PID 4884 wrote to memory of 2624	4884	DEM4FE5.exe	100
PID 2624 wrote to memory of 1936	2624	DEMA652.exe	102
PID 2624 wrote to memory of 1936	2624	DEMA652.exe	102
PID 2624 wrote to memory of 1936	2624	DEMA652.exe	102
PID 1936 wrote to memory of 2224	1936	DEMFC42.exe	105
PID 1936 wrote to memory of 2224	1936	DEMFC42.exe	105
PID 1936 wrote to memory of 2224	1936	DEMFC42.exe	105
PID 2224 wrote to memory of 4768	2224	DEM5270.exe	106
PID 2224 wrote to memory of 4768	2224	DEM5270.exe	106
PID 2224 wrote to memory of 4768	2224	DEM5270.exe	106
PID 4768 wrote to memory of 4456	4768	DEMA88F.exe	108
PID 4768 wrote to memory of 4456	4768	DEMA88F.exe	108
PID 4768 wrote to memory of 4456	4768	DEMA88F.exe	108

C:\Users\Admin\AppData\Local\Temp\0729b46c674e592c4e9bea61de5ad2bc.exe
"C:\Users\Admin\AppData\Local\Temp\0729b46c674e592c4e9bea61de5ad2bc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\DEM4FE5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4FE5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\DEMA652.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA652.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\DEMFC42.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFC42.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\DEM5270.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5270.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE70.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE70.exe"
        7⤵
        Executes dropped EXE
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4FE5.exe

Filesize
15KB

MD5
11ab4bf87b61f30c971455fa71b7fe5f

SHA1
eda2c82d6b8722b567d5e332a2d072323348685c

SHA256
dff1462bab052a249e69fa1559250d36c507cd93e7cf5a48277d8de9a38a0a94

SHA512
dff373e5a97929ac42a36aa91bb13cf2227bdc53d83c0b0c2438cd4eff7760d6de35874af5f12f0be4205b4d5c3069a60bceec0a6d1525cd6582baa958da7963

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5270.exe

Filesize
15KB

MD5
f44290cd2ae161ac2d12fff34d57fba9

SHA1
d56d5b2bed5dda2054248329aa469328fcc10c9a

SHA256
4d5f97d3bc430b299b1e847c436a7b9cd0c7da64d1c06d55f4efe3f4802b0ce6

SHA512
bd0d46093465dcd177f315828685562cdf1ee126ae13a9d93ac94595171060c7655a7db6cd61dcf422308e49798842acdf074329258814686166fcc64760679e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA652.exe

Filesize
15KB

MD5
ad57e3102f2c89aeac67ed834cf3eb64

SHA1
fe3a8b16e0660b6eb2b5e1dcb4ba867311770986

SHA256
437babec2d083490c569fadf993bd300179258eb9143145efd8f60cafd05bd61

SHA512
1af9ad02cf1c994022f78b1aae64bb74e464652b1f61703a4e4fa5f0c128f357e30d7bc916d2ed604a670613dd6b736b8a5df0cd24cad995ee2d21e5ba63f006

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA88F.exe

Filesize
15KB

MD5
e6480b240011ff13195719ca92b1151e

SHA1
37f8d87248069a5fadf621b7553d0702f7856548

SHA256
0d1aea6812f22bb39f83549b0d9728fef1700e5d5fbafc72fa8f86677fb5d237

SHA512
ac2321803a8585a4725b0f0053117370ef220e43588beb1e15db4853881b20fc16b923f6f7bc5c5ec41d7aabd385d5ed3e248ddcdaacbe2faf2f409609622c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFC42.exe

Filesize
15KB

MD5
0ef338c4c6e6c897f794e3b79c1f22e1

SHA1
2e39a5a38c53953e5163c9d4c46603fc667b02dc

SHA256
16da969a1a7c9cd76a39835fd12cb292eb9775b5e108fba25422bd016697dd04

SHA512
7078fa847bfd574b019ead4a69047b5736788880abe7c940602fb32c60e29abfb3e0e418e8739ce9823e84f45f3cf984678646f580b96c518d67dbf2b955ac8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE70.exe

Filesize
15KB

MD5
cc2b2dac602d154db761ea9e4dc666bb

SHA1
9cf99707c08aa3c1736950857c99c385c40038f2

SHA256
b281a5b7d1631910a1855ee751fdfeb68aae4f8bfdc492e4fc4de596dec6e530

SHA512
d656d0e1fd58717d2506f01b4020637695ac0cf87647b3b7171411438805f2e9428bee61087e3b7390a204aa27be45ff00f9b8e88af4eeb63475843a149511f0

Download Submit

Analysis

Sharing