863fffa534c5da7d8b34fa4f5159cbe032f0fff7a8f39117c76639d3dce7adec

General

Target

07490005538ba72036bb0b1ab7ee8227.exe
Size

14KB
MD5

07490005538ba72036bb0b1ab7ee8227
SHA1

df2a11c4f29be4405aa24521e469e04ad096e929
SHA256

863fffa534c5da7d8b34fa4f5159cbe032f0fff7a8f39117c76639d3dce7adec
SHA512

9af9480a92d4c7f55aaeb08353baccdf193976ac2798b31eb0b03e6c3fbe3c7d9b921170683c956b2c0e2b3c3680feb0f8a8ca3d9b8f0a19b94390382e3e25ed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR08:hDXWipuE+K3/SSHgx48

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMDE26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	07490005538ba72036bb0b1ab7ee8227.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM7F61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMD726.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM2E20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM8632.exe

Executes dropped EXE 6 IoCs

pid	Process
4916	DEM7F61.exe
3192	DEMD726.exe
4980	DEM2E20.exe
4824	DEM8632.exe
688	DEMDE26.exe
964	DEM35EB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4916	4620	07490005538ba72036bb0b1ab7ee8227.exe	92
PID 4620 wrote to memory of 4916	4620	07490005538ba72036bb0b1ab7ee8227.exe	92
PID 4620 wrote to memory of 4916	4620	07490005538ba72036bb0b1ab7ee8227.exe	92
PID 4916 wrote to memory of 3192	4916	DEM7F61.exe	97
PID 4916 wrote to memory of 3192	4916	DEM7F61.exe	97
PID 4916 wrote to memory of 3192	4916	DEM7F61.exe	97
PID 3192 wrote to memory of 4980	3192	DEMD726.exe	99
PID 3192 wrote to memory of 4980	3192	DEMD726.exe	99
PID 3192 wrote to memory of 4980	3192	DEMD726.exe	99
PID 4980 wrote to memory of 4824	4980	DEM2E20.exe	101
PID 4980 wrote to memory of 4824	4980	DEM2E20.exe	101
PID 4980 wrote to memory of 4824	4980	DEM2E20.exe	101
PID 4824 wrote to memory of 688	4824	DEM8632.exe	103
PID 4824 wrote to memory of 688	4824	DEM8632.exe	103
PID 4824 wrote to memory of 688	4824	DEM8632.exe	103
PID 688 wrote to memory of 964	688	DEMDE26.exe	105
PID 688 wrote to memory of 964	688	DEMDE26.exe	105
PID 688 wrote to memory of 964	688	DEMDE26.exe	105

C:\Users\Admin\AppData\Local\Temp\07490005538ba72036bb0b1ab7ee8227.exe
"C:\Users\Admin\AppData\Local\Temp\07490005538ba72036bb0b1ab7ee8227.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\DEM7F61.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7F61.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\DEMD726.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD726.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\DEM2E20.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2E20.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\DEM8632.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8632.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\DEMDE26.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE26.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\DEM35EB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM35EB.exe"
        7⤵
        Executes dropped EXE
        
        PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2E20.exe

Filesize
14KB

MD5
d10e04dc1edad95f2d4ed9c828592d22

SHA1
8bb56a656cb3559e9b6279402f6d15ee7bba59ad

SHA256
5d314ce5443d0cba299b9c49a35380ae7acac7a2e645e2f39f9e6bbb4eb1d7b0

SHA512
55af8a96d505f9c61dbbaf8af3f763d77ad0f00b5350c140ffcb63b2850ca62fa4a82124e85731c0712c3044db1431fa45231764a061866d9a3b4a002790512a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM35EB.exe

Filesize
14KB

MD5
635db60b3d0b34a1693fb38de6133704

SHA1
31423797dad8cca4698f985335bf5d22cfd0ee7b

SHA256
c0b4deb6a0995f6c624bda72d6baf6f0c98e29376b2cdafaa0b7b7367ea97978

SHA512
5ae2196a2f4372493d9ed963b190f7fb11f5fdf7d860fd5292a5bc0ff6b594f51d255f3baca8dc8024231bf4081b44f116df6ea59b44a38096fbcf39dca5c37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F61.exe

Filesize
14KB

MD5
6e76c6e66f96ce66da2e4a03fbdd3d6e

SHA1
da5d37020be23e1490615b14bc7bbeaa7f94d8e5

SHA256
a7bc594107a02820541a1bc82ef7b92c3c1ad2e88a3b2a5d33eca41c5b854af1

SHA512
8ac2531fa23b483238cd2c5d1b6534bcd419abd03366558ba7b1d89f1ac81b7c318b24ac4fd9d996792d85e55a04621e05c65fd7deb71f8dce86e923ecf11498

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8632.exe

Filesize
14KB

MD5
b9af7abfb81ebc04b1e97d3dba63c475

SHA1
a86fcb30afd48ab46c42d7f21323026226df3292

SHA256
cfc6ad557be00abb28f672eab0668a89fab17fdfcb7538c63415b409ec3a0c0b

SHA512
63cde679ae17877bee2b96e98b13305cbdb4e6ba28e29d4a502bdb92e7e78edee255cf6ec9f85ba3c00aec5ae153a18c348ba3631325b6689fdf218707beb14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD726.exe

Filesize
14KB

MD5
1d2bd9822307cfa4278d75115207376d

SHA1
d667f0c148144f1f4e3ab3934bf322b75b1e1171

SHA256
50c4c3d689af28cd0f920d2db5a50e7d92c699df19b302f73e11aee0fa874185

SHA512
c058809170cd1a29d7807c44f748c860937ab7b22a6ff76e0ef02775219c80d31d7af665fab9bbc5218ee77d7217c24d7de9f390f74636f2fc268c2b5ab1dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE26.exe

Filesize
14KB

MD5
49d9af347005807bb5429cbbdef39dd7

SHA1
439b92868fda51d32e58f3d4ff66bfb2cef63e14

SHA256
98bb39c2f0c5900a8b238898b0b46129322fdb8d90c2367eb46d6843dfa5fd7e

SHA512
816f5990d5c0b5dcfa57d98bcf25d2884e4f377dfd7ac2541de09b4ce5622ee8400738594bd9c19df98cd1e6dd479ed803126470219f1a74beff585c8f24ac52

Download Submit

Analysis

Sharing