810188dda8abcf8fc7a4b7986fcfdfd85be1b485d38d8ccac4a968fa25e8d868

General

Target

09fbb3f310ff4fad6d3f3e08edb658b7.exe
Size

14KB
MD5

09fbb3f310ff4fad6d3f3e08edb658b7
SHA1

0b95519f016d0e0cbf1e6958776c001e616efaa5
SHA256

810188dda8abcf8fc7a4b7986fcfdfd85be1b485d38d8ccac4a968fa25e8d868
SHA512

4012b961e8d50392c5b3355c63f5bc3189919ddf763b0e534f650ae8f67d0cfa979108dcf4deadd98b5359787502170a05fd2f44388381506feb0d0460d88720
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0x:hDXWipuE+K3/SSHgx4x

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEMCF70.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	09fbb3f310ff4fad6d3f3e08edb658b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM71B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEMCB20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM21EB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM7809.exe

Executes dropped EXE 6 IoCs

pid	Process
2988	DEM71B5.exe
1924	DEMCB20.exe
3632	DEM21EB.exe
3812	DEM7809.exe
2484	DEMCF70.exe
448	DEM259F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2988	2744	09fbb3f310ff4fad6d3f3e08edb658b7.exe	92
PID 2744 wrote to memory of 2988	2744	09fbb3f310ff4fad6d3f3e08edb658b7.exe	92
PID 2744 wrote to memory of 2988	2744	09fbb3f310ff4fad6d3f3e08edb658b7.exe	92
PID 2988 wrote to memory of 1924	2988	DEM71B5.exe	99
PID 2988 wrote to memory of 1924	2988	DEM71B5.exe	99
PID 2988 wrote to memory of 1924	2988	DEM71B5.exe	99
PID 1924 wrote to memory of 3632	1924	DEMCB20.exe	100
PID 1924 wrote to memory of 3632	1924	DEMCB20.exe	100
PID 1924 wrote to memory of 3632	1924	DEMCB20.exe	100
PID 3632 wrote to memory of 3812	3632	DEM21EB.exe	102
PID 3632 wrote to memory of 3812	3632	DEM21EB.exe	102
PID 3632 wrote to memory of 3812	3632	DEM21EB.exe	102
PID 3812 wrote to memory of 2484	3812	DEM7809.exe	104
PID 3812 wrote to memory of 2484	3812	DEM7809.exe	104
PID 3812 wrote to memory of 2484	3812	DEM7809.exe	104
PID 2484 wrote to memory of 448	2484	DEMCF70.exe	107
PID 2484 wrote to memory of 448	2484	DEMCF70.exe	107
PID 2484 wrote to memory of 448	2484	DEMCF70.exe	107

C:\Users\Admin\AppData\Local\Temp\09fbb3f310ff4fad6d3f3e08edb658b7.exe
"C:\Users\Admin\AppData\Local\Temp\09fbb3f310ff4fad6d3f3e08edb658b7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\DEM71B5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM71B5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\DEMCB20.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCB20.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\DEM21EB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM21EB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\DEM7809.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7809.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Users\Admin\AppData\Local\Temp\DEMCF70.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF70.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\DEM259F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM259F.exe"
        7⤵
        Executes dropped EXE
        
        PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM21EB.exe

Filesize
14KB

MD5
ae32b99179effb47e87b89f3485e7185

SHA1
ab2a3a6db11985b8cd9c918fef9e51e171ab7444

SHA256
9150437030c09477e306da2815f00ba7e25f8d616c845aaa33334703279df83c

SHA512
8c0c16f22ef27190bba110cea49a251da4d9c57e19412fd30dd605c367dc141c7dfd182bf2f16d5bdad14da8cf93b9089470dc7a9971b893e1541321eff217b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM259F.exe

Filesize
14KB

MD5
a4692da43dfa68f85b74a7a24c1b408c

SHA1
515efbaf64088ee92248969740667fc1e9842195

SHA256
35e66f7033f0113c924193b53feac65464204077a190341f437499f127621205

SHA512
3432508b1e2d9252f4fc68a9968a7cb4fb052390fe01d97672ebf61fd849dcaf5a5c46014ec05f6ba48204229acbc773435bc6846528535c69a5df1c0ff39e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM71B5.exe

Filesize
14KB

MD5
583d41ff66ad416472f01235f7219135

SHA1
5d7e8ce0ed074da5ffe4edebf042fa34f6da0544

SHA256
00febb5d1a1407209a57b389381ca85bcc0449cc348b64c7115899f0d12d3eee

SHA512
278739ab81810bc93993e69dd80c4bf066b08894a1c7bed306385f6b0b0bcf6e602927467c40e448930d884acd1bcacb1f187aea759ec1fa1cd2d6324cdb3440

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7809.exe

Filesize
14KB

MD5
f34ca28be21fd38a5020ab96508ae163

SHA1
c736ce2e8668a332d652602aef8e811f20559d94

SHA256
c0d4bbb8895892ca5902034518c380d2e58c6a13d4b1dc212b5a4a466883af7b

SHA512
62bdf81188b37993f77549bb79d0ad8f60eb59b7fa7a263e234c3aaf9e0d40e481e2e72e4ab171dd95b290cee013302834570bd0d4b642d97d04a6e4be84f517

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB20.exe

Filesize
14KB

MD5
b4fde59f3e0bae09aa9ec40dce01289b

SHA1
44ec2762b74a78f56a98e278ef16c5d8c42edddf

SHA256
dd25b5e3139c0d76b7d3efc4ff706f6d7be0390676def3e23147371f890cfcff

SHA512
13d3d27bbac88c7850fe1f363ae5e418e838cffdf28aaa233b50eed67ba15672f7221021ff19ffc5eeb8ad1ff84ac3a706d3885c85d2f02052a861d92b880675

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF70.exe

Filesize
14KB

MD5
7888cf99ad466c4b3f6083956f57401e

SHA1
ee4c36152cc8d3b26b4b6e985eb84ad91c37b961

SHA256
2800d854c87fe2d6e2d0bad58ffc128d0bc7e107a2e25940cd0abd4da285b416

SHA512
db17536eb8dc69f50ffa9adc7929d0b5787e2114f29f67cc1a485ba5cdc49715c4797ade0ac4bd628283020015a9c877cf0afd0a133d0d4f124e74a9bcf857e7

Download Submit

Analysis

Sharing