8503a815750e8c472a91702cc973cd8738770907f2550e9f8c93864f1ea17d63

General

Target

07c9b6a53e1cc7566c675ff938b96608.exe
Size

16KB
MD5

07c9b6a53e1cc7566c675ff938b96608
SHA1

3c732370a1fdecd50de4158fe60dd66b0b54a65b
SHA256

8503a815750e8c472a91702cc973cd8738770907f2550e9f8c93864f1ea17d63
SHA512

e9839f415e5ee5002d0317be9e2f1e923031b48373aad92692e0d6e295fb920620515c41bb59f14f0ad4d3839ff0b6db3fd85768098c82c32577bfc5482ceb22
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxmvC:hDXWipuE+K3/SSHgxmH+C

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	07c9b6a53e1cc7566c675ff938b96608.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM134.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEMAEAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM67E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM5DC6.exe

Executes dropped EXE 5 IoCs

pid	Process
4356	DEM134.exe
2404	DEMAEAA.exe
3952	DEM67E.exe
4360	DEM5DC6.exe
2016	DEMB685.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4356	1452	07c9b6a53e1cc7566c675ff938b96608.exe	96
PID 1452 wrote to memory of 4356	1452	07c9b6a53e1cc7566c675ff938b96608.exe	96
PID 1452 wrote to memory of 4356	1452	07c9b6a53e1cc7566c675ff938b96608.exe	96
PID 4356 wrote to memory of 2404	4356	DEM134.exe	98
PID 4356 wrote to memory of 2404	4356	DEM134.exe	98
PID 4356 wrote to memory of 2404	4356	DEM134.exe	98
PID 2404 wrote to memory of 3952	2404	DEMAEAA.exe	100
PID 2404 wrote to memory of 3952	2404	DEMAEAA.exe	100
PID 2404 wrote to memory of 3952	2404	DEMAEAA.exe	100
PID 3952 wrote to memory of 4360	3952	DEM67E.exe	102
PID 3952 wrote to memory of 4360	3952	DEM67E.exe	102
PID 3952 wrote to memory of 4360	3952	DEM67E.exe	102
PID 4360 wrote to memory of 2016	4360	DEM5DC6.exe	104
PID 4360 wrote to memory of 2016	4360	DEM5DC6.exe	104
PID 4360 wrote to memory of 2016	4360	DEM5DC6.exe	104

C:\Users\Admin\AppData\Local\Temp\07c9b6a53e1cc7566c675ff938b96608.exe
"C:\Users\Admin\AppData\Local\Temp\07c9b6a53e1cc7566c675ff938b96608.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\DEM134.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM134.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\DEMAEAA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAEAA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\DEM67E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM67E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\DEM5DC6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5DC6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\DEMB685.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB685.exe"
        6⤵
        Executes dropped EXE
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM134.exe

Filesize
16KB

MD5
630192740b9bf9febcaa76710c222092

SHA1
dacded9aeea8bc66ff7d836896f7754a6b32ea3a

SHA256
51c1e36c5f755a074dc5cf486e186fbc5661a6de38be92c205f6aafcd8c771fc

SHA512
4071d1f47f91a66a9250c7993b30fd3092cbb31027e6e3a501cf86e6f243eb124f929c45dfb431060b69c6575a1e72560a4c7f05b1e9b3428886ee4b9692afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5DC6.exe

Filesize
16KB

MD5
f3ad1832e7eedde29b45b70588e138c0

SHA1
832bfd8fa0cdc6781a8f8b9287de2e4cd3e1c003

SHA256
f376814968a7db8155fcbd9c3ccc3471c234e16d11bff638d53c05ffd4f2fa29

SHA512
05e3dd9a87d588337fe44007f9a011ee4adc9acc16061bb6504fc5b4bf9dfc0b325aaa27200b699756e810d850d44df038462e25b511c9987e548e343dc21323

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM67E.exe

Filesize
16KB

MD5
702955fc31050b0c2e995d408c19e737

SHA1
cae65e09a6c155a77a454d80515ce271a8498d5b

SHA256
f70140877870c8c81d39c36b9581cc0f28f8e7ed8c2303e741cdd31dd3ea00e4

SHA512
e3035bf1aaf1a9511c8168691671d27098a2516a7a903e22f30024360eb6690585d9b9e39a2324496f80069ba4c842a10f995df53c0a6811b67b8a141ddcfb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAEAA.exe

Filesize
16KB

MD5
aefb1e0d63cf468e6f0102e3825c2939

SHA1
3bd5e29099ade9d247db3e0b50adfecc8afb29b2

SHA256
63017a6622949994aa28a0bc81940d949b80f3f72fd73f385cdc6755bc3b50d0

SHA512
743e6fee2a8f94b4b96bc886955f9907000278bb9832e9f24504acff0ca019b66868ca0efd79af26a088fbd5d9467f4489d3b1d44062817a76ee76fe223821fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB685.exe

Filesize
16KB

MD5
1c73705bd9f0885a707da9b44286fb03

SHA1
0b29f45b1c2af41e8f5f0821a4157dc9fe8f7981

SHA256
c91f594bf77e32c6d3bf6a7bc9f5b733a077d1ca9a87cae2cc5ea02cb99bd9b7

SHA512
b85724e32a933dba2cda05d32113ef752a91514b4bdf5eb48641a563a130cb79830111ec46f09ba65ec3aa2b4f753c481a6fe3e7c14e9ac90be62cf86fab71c6

Download Submit

Analysis

Sharing