c206c27c19af02e67c8d5adebea5755abcd78ef965354c7a72b41b7c02446203

General

Target

0870232c011e01b83b8f00ad3b632214.exe
Size

14KB
MD5

0870232c011e01b83b8f00ad3b632214
SHA1

305cebd3ead3da6ae09d858821ae42130dd1a6c1
SHA256

c206c27c19af02e67c8d5adebea5755abcd78ef965354c7a72b41b7c02446203
SHA512

9c257b0d162cae7113ce0cd08b6934cac3f651c7746d6d2376818d625be3c027e9e188d1d64e6b7363cd6f2c6076fa72698ca8ce0f83df33f13215b81cdb1a0a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHud:hDXWipuE+K3/SSHgx3NHH2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	0870232c011e01b83b8f00ad3b632214.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM63CB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEMBD06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM1539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM6CDE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEMC4E1.exe

Executes dropped EXE 6 IoCs

pid	Process
1140	DEM63CB.exe
3424	DEMBD06.exe
4892	DEM1539.exe
2096	DEM6CDE.exe
352	DEMC4E1.exe
1708	DEM1C39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 1140	4720	0870232c011e01b83b8f00ad3b632214.exe	93
PID 4720 wrote to memory of 1140	4720	0870232c011e01b83b8f00ad3b632214.exe	93
PID 4720 wrote to memory of 1140	4720	0870232c011e01b83b8f00ad3b632214.exe	93
PID 1140 wrote to memory of 3424	1140	DEM63CB.exe	98
PID 1140 wrote to memory of 3424	1140	DEM63CB.exe	98
PID 1140 wrote to memory of 3424	1140	DEM63CB.exe	98
PID 3424 wrote to memory of 4892	3424	DEMBD06.exe	100
PID 3424 wrote to memory of 4892	3424	DEMBD06.exe	100
PID 3424 wrote to memory of 4892	3424	DEMBD06.exe	100
PID 4892 wrote to memory of 2096	4892	DEM1539.exe	102
PID 4892 wrote to memory of 2096	4892	DEM1539.exe	102
PID 4892 wrote to memory of 2096	4892	DEM1539.exe	102
PID 2096 wrote to memory of 352	2096	DEM6CDE.exe	104
PID 2096 wrote to memory of 352	2096	DEM6CDE.exe	104
PID 2096 wrote to memory of 352	2096	DEM6CDE.exe	104
PID 352 wrote to memory of 1708	352	DEMC4E1.exe	107
PID 352 wrote to memory of 1708	352	DEMC4E1.exe	107
PID 352 wrote to memory of 1708	352	DEMC4E1.exe	107

C:\Users\Admin\AppData\Local\Temp\0870232c011e01b83b8f00ad3b632214.exe
"C:\Users\Admin\AppData\Local\Temp\0870232c011e01b83b8f00ad3b632214.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\DEM63CB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM63CB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\DEMBD06.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBD06.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\DEM1539.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1539.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\DEM6CDE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6CDE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\DEMC4E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC4E1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\DEM1C39.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1C39.exe"
        7⤵
        Executes dropped EXE
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1539.exe

Filesize
14KB

MD5
00cc999c1e35fd2065625b5bdd1e37da

SHA1
bdbb22e387bea82ab76bef333adf319ad2b64364

SHA256
b054b8fb5e995fe9112bcc7f504c8454ccdfdd92ee065db8ab0b1f721e8833ce

SHA512
8e552811813fc73f8968c404796f43059e4863f1e5ef8cbeb60f5112b1b9b2e3d57798602fb16acf4b3dd59198972b1819a0bf676983891f9aa7711c3f9b42c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1C39.exe

Filesize
14KB

MD5
8b24bdf6b713869d0611f643f6a17e64

SHA1
ac0471698a6a0472035d971624cb779bade339a6

SHA256
311f860c3cc7ccb94873b8976a2c95b2f65ebbc56724f4fce0b0f59aee6cf96b

SHA512
3745d0d5bc128f42cdae5c6744f395369ce4440792ccba2529fcc2eb82c1de0e6fbeb8f1cb26e0ce1cfa784c908acfa6f09c8b2c764366a2a528dc47c6095018

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63CB.exe

Filesize
14KB

MD5
454d8b1cb89a947be96bbd04f2089cdc

SHA1
aee9693fd16bdb363bdc05c0917984a3cac71884

SHA256
d881eb8ad58979e86be9b9fa0bcdfad83ea9fe3cf89dce9573c4ac73a5249ccd

SHA512
6bc394c171469a6b58db41e39ee653000c23b6c5df72a0ac8a3f951026e03e635fdc05519fa6aac6df21aa147805d7f8ca17adf806ccfd4caab37e6b4e460a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CDE.exe

Filesize
14KB

MD5
5a6448490ea2f140ed3515e3cc573029

SHA1
95615ff5f1d626ec5a0443a08046e9fb83413c5e

SHA256
272876a9bebfbdab1113205dd1434696f5123c6bc1ed3cc9bb4312e456a78e40

SHA512
187f7d0c2f718f849d48621f9ebb117ae201d9ddd1e438d749ebd2eb05a35f97810e207b88e5f612d33d7f083110c7fa48229db36af6f1eacfc3277eccbe2983

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD06.exe

Filesize
14KB

MD5
ec439959728c3cb4079e1b000c7b2146

SHA1
1feb347ff281b6a6dd363c5d8737111f8f66699b

SHA256
3ca5b50f79647f3712f9affda237989deb022cca3be68df0f8be72d6c450c3f6

SHA512
d2766bc401a4b54932750c0b873b2830085f99699299c166fce166e4a510bfa4e9829303f10fd5fbe1036e03607a1866968baf8a073f50e1f96a85ea20fbca9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4E1.exe

Filesize
14KB

MD5
27af8e92c17474b81ddde1cb411b3b3c

SHA1
3c8280238537a5ca630840428a129f6c348b8cee

SHA256
dda7ddf4699f452e713f2f1e4d37ec15a030e4d882e913e0c53330312cc7a924

SHA512
702e01ef9ec0c45021198c7bf1aee4c732626ac36b6c854f7d285f0d79f99e0a44c126784710d11bf96c23ecbf703caf9125199186b2f8b39c5faf248aa0a3e5

Download Submit

Analysis

Sharing