08be6b9bc700027968e80f46929394eac28b3e21afe2d9c86e1505600c97cac9

General

Target

08d2fcb56838727496e9925113567c7b.exe
Size

14KB
MD5

08d2fcb56838727496e9925113567c7b
SHA1

5a95ea74597ae7d314321390111040f410d83bee
SHA256

08be6b9bc700027968e80f46929394eac28b3e21afe2d9c86e1505600c97cac9
SHA512

5b1a853b5e57e8a13ba9eb7dbaecb492fed1683dfb6d7905533afe29081dea3f313cc6676b6f2d38a6723676da9208e525694f8a0181c4c0b403fbb4fc4f3fee
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZeeIe:hDXWipuE+K3/SSHgx3eU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEM1F6A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEM76D1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEMCE38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	08d2fcb56838727496e9925113567c7b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEM6F35.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	DEMC7E4.exe

Executes dropped EXE 6 IoCs

pid	Process
4400	DEM6F35.exe
4768	DEMC7E4.exe
4360	DEM1F6A.exe
1500	DEM76D1.exe
4884	DEMCE38.exe
5056	DEM2495.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4400	396	08d2fcb56838727496e9925113567c7b.exe	93
PID 396 wrote to memory of 4400	396	08d2fcb56838727496e9925113567c7b.exe	93
PID 396 wrote to memory of 4400	396	08d2fcb56838727496e9925113567c7b.exe	93
PID 4400 wrote to memory of 4768	4400	DEM6F35.exe	98
PID 4400 wrote to memory of 4768	4400	DEM6F35.exe	98
PID 4400 wrote to memory of 4768	4400	DEM6F35.exe	98
PID 4768 wrote to memory of 4360	4768	DEMC7E4.exe	100
PID 4768 wrote to memory of 4360	4768	DEMC7E4.exe	100
PID 4768 wrote to memory of 4360	4768	DEMC7E4.exe	100
PID 4360 wrote to memory of 1500	4360	DEM1F6A.exe	102
PID 4360 wrote to memory of 1500	4360	DEM1F6A.exe	102
PID 4360 wrote to memory of 1500	4360	DEM1F6A.exe	102
PID 1500 wrote to memory of 4884	1500	DEM76D1.exe	104
PID 1500 wrote to memory of 4884	1500	DEM76D1.exe	104
PID 1500 wrote to memory of 4884	1500	DEM76D1.exe	104
PID 4884 wrote to memory of 5056	4884	DEMCE38.exe	106
PID 4884 wrote to memory of 5056	4884	DEMCE38.exe	106
PID 4884 wrote to memory of 5056	4884	DEMCE38.exe	106

C:\Users\Admin\AppData\Local\Temp\08d2fcb56838727496e9925113567c7b.exe
"C:\Users\Admin\AppData\Local\Temp\08d2fcb56838727496e9925113567c7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\DEM6F35.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6F35.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\DEMC7E4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC7E4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\DEM1F6A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1F6A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\DEM76D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM76D1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\DEMCE38.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE38.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\DEM2495.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2495.exe"
        7⤵
        Executes dropped EXE
        
        PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F6A.exe

Filesize
14KB

MD5
dc3fcc9a2d05d3cb183e4cdfd67730a6

SHA1
4af1551e5606ec9a3f798ab5fc2e8876812d6041

SHA256
0e7e69a381a7c20b2d6fac0ec7472a3abbc2856ea30cb08cf02f14d018a28038

SHA512
1dd6ce0447b50125c9b5bff101787b2b68a0e7b92d39d49954fcb9196d45fb9ffdd13a9db315870bb5137a58199620643b6b70b865cf133e8d02fe4c653a279a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2495.exe

Filesize
14KB

MD5
0dacfb08c2736b4e375ed21b3f46ce75

SHA1
f29a1f51b05ebdc8925c9f57a4a9e55f5819d8f6

SHA256
59c2dbf6c2eedc4594b76599e67299dc3fdcb5aabd6e661f667d435d5d9c6ec0

SHA512
70e898f1b989efca9dc46d463657b7f6b198be6aad46dbaa36c7ba04f378b183439af7eb1c18692e4d2bdbf46f93da883fd6a1453422169579c710430b5cfedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F35.exe

Filesize
14KB

MD5
b2cdfb356f310528eba1d16f5d6506d6

SHA1
e5829c24ecb101e49004da58ad27d823a6ddcb7c

SHA256
113cd3bc0b8939b68ad683a587e5e18b085538097aab49abda1bd3ba24c16a4b

SHA512
ec211f6bc508d0ea6ecff72148edc7acb674165744a56ede757c919e824466636937a26ed5a989a8baa256d71f1ce66d3e4216174a0a487e115048a40173fedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM76D1.exe

Filesize
14KB

MD5
ec6eb0c191b3d84032fbbf08a18e4c58

SHA1
65b222ebec8b40225c2b14b4369d5f24f6a4c7e1

SHA256
05e0a13a9f67ef53f495a447d31b5f063639b424d76eda671364fb419eba20af

SHA512
9f54b53c527a25bd3942cfb38f34283a8ad88bc40a85abfb49003a45952bd7effb11cea921b912e0be7967a962e1d4a06d5619ed7c29982ea3d5e860ba9f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7E4.exe

Filesize
14KB

MD5
81b3aa31f279de9d910120e9ff874bbe

SHA1
742e528714fdaac722bf7ae0ed22b7e33a4a38a3

SHA256
5f184d5c807541f922dcd81985ad2ba5c966021c3bca093695a187fc820b72cb

SHA512
aa5d37a26dd100763cad1fadedf756c89cb2fd36c832730051696ff24d5ac5b92318b4ba7cd02e19985a5f5c04798b32d263509402d46187a2d710f077ee80ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE38.exe

Filesize
14KB

MD5
3aa97e686887b4f71db7abd811490ad8

SHA1
497df30e31681ebc9e6ed397edffc8a6b9010e37

SHA256
d187a4d81697755098de66a7954e7e43308b3ad16aca0b1312398cbc8ffcad91

SHA512
e8ee1b2d79daf37e494b45ee8e6bfa3f5847cf6bdff759c614fcc3e26e7173bc730398058770b434c845e14e6a561938bef1b98e79145f4dd46ea35225f5e192

Download Submit

Analysis

Sharing