b76fea0a739fe42587f63684af84abcf14193c0b163978e096ca91cd539b1f8a

General

Target

0ad2917f96f0cf25709e44386f8c77a7.exe
Size

14KB
MD5

0ad2917f96f0cf25709e44386f8c77a7
SHA1

173bd840acf05bfda729a99ad64b30806ea0d7ab
SHA256

b76fea0a739fe42587f63684af84abcf14193c0b163978e096ca91cd539b1f8a
SHA512

7263d5c573aa87b5fd3065182eb13beed1edc3db8e528c418f77ca91851f03b50dc590f13837119872fb84b10e9eaee58e42a0fa24f637ad99e03a2b58b6ec1c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnJ:hDXWipuE+K3/SSHgx/J

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM4551.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM9CD7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMF42F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	0ad2917f96f0cf25709e44386f8c77a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM952B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMEDCB.exe

Executes dropped EXE 6 IoCs

pid	Process
3256	DEM952B.exe
2780	DEMEDCB.exe
32	DEM4551.exe
624	DEM9CD7.exe
2352	DEMF42F.exe
1948	DEM4A6D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3256	1132	0ad2917f96f0cf25709e44386f8c77a7.exe	93
PID 1132 wrote to memory of 3256	1132	0ad2917f96f0cf25709e44386f8c77a7.exe	93
PID 1132 wrote to memory of 3256	1132	0ad2917f96f0cf25709e44386f8c77a7.exe	93
PID 3256 wrote to memory of 2780	3256	DEM952B.exe	99
PID 3256 wrote to memory of 2780	3256	DEM952B.exe	99
PID 3256 wrote to memory of 2780	3256	DEM952B.exe	99
PID 2780 wrote to memory of 32	2780	DEMEDCB.exe	101
PID 2780 wrote to memory of 32	2780	DEMEDCB.exe	101
PID 2780 wrote to memory of 32	2780	DEMEDCB.exe	101
PID 32 wrote to memory of 624	32	DEM4551.exe	103
PID 32 wrote to memory of 624	32	DEM4551.exe	103
PID 32 wrote to memory of 624	32	DEM4551.exe	103
PID 624 wrote to memory of 2352	624	DEM9CD7.exe	108
PID 624 wrote to memory of 2352	624	DEM9CD7.exe	108
PID 624 wrote to memory of 2352	624	DEM9CD7.exe	108
PID 2352 wrote to memory of 1948	2352	DEMF42F.exe	110
PID 2352 wrote to memory of 1948	2352	DEMF42F.exe	110
PID 2352 wrote to memory of 1948	2352	DEMF42F.exe	110

C:\Users\Admin\AppData\Local\Temp\0ad2917f96f0cf25709e44386f8c77a7.exe
"C:\Users\Admin\AppData\Local\Temp\0ad2917f96f0cf25709e44386f8c77a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\DEM952B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM952B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\DEMEDCB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEDCB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\DEM4551.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4551.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Users\Admin\AppData\Local\Temp\DEM9CD7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9CD7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Users\Admin\AppData\Local\Temp\DEMF42F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF42F.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\DEM4A6D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4A6D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4551.exe

Filesize
14KB

MD5
27f0a155b052d1ad65fc1d07c015eaad

SHA1
adf38964f7f985ac0e3631ab69da7d98b2b42eca

SHA256
dbbd15f43f0bdf4d31414f60712ece6c73c0fffea5ef3a621c2363e901f6e21b

SHA512
9ac81d2c8e48d97d9e26f25cff2b266ad25dd16655950fc8195113cce5be60e18a67828724dd9b9dfe91f63b21dd4f53e5b19382aae64fc4f151bea249d12691

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4A6D.exe

Filesize
14KB

MD5
cd86f26d512529aee4b8384f722ae541

SHA1
1113e2e161a72829578a7459b9a0d43320718573

SHA256
d71d54dadd3e1c0c1760ab4955a6fd32734bb68d00b55aaa05897f078e7299f3

SHA512
ae0bbf70e9715fda456679397996b90979d90bf73d6a4f351c1d45615970f530c45346f0f3fe4bb83c49a76aaa703f7eaebcc617636c3a8ede0f0766fd715db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM952B.exe

Filesize
14KB

MD5
3df84617c43ef73ac714c0426a5ac2db

SHA1
fefe1c7c82769d9b509152ce0ecce9cc0dd99b5f

SHA256
d8838c3647e2d1561d518a1ea58baa05290b644daac97f4b33db56b79f4e6719

SHA512
2c145c3c2a5e148a7ff1f212a476370dfba4c14d4cd4b7699f22f41b6fdf11faa7a06b26196c46cb6ef3d811ff7f24531764c45655d9a7c2febaaec783463a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9CD7.exe

Filesize
14KB

MD5
050bfd08d54acacb266c9e332a6fac46

SHA1
7711c50802702b3bd81442740f50bc9888a524ca

SHA256
6e2869d41437632d80838db91c8a761c580524131123c54da6ed1ee187cd5219

SHA512
d0027aed77408d583fb3736822004994e6120da53a7a864949f216b23cf0c2fd70db7c474f34daeeb9ee0d8e7e13621db7c5161f2304fe87d5889e6d7197cc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEDCB.exe

Filesize
14KB

MD5
b9d4e1eb12f9f497b95776dfe8ea67db

SHA1
c1fddb5b09847812bc82dbaa680a1982bbd41559

SHA256
ce59624520dcf13dd543c9f02449a8261b9217b901ef6a428ce2679a47618a9d

SHA512
a344ccfbc8513e82808f10c525cf62aef8f03fbf741e13270494e0c4143e306170586439f404772194d2fb27ffa3761a16e2662fe13798de85e813209e7273dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF42F.exe

Filesize
14KB

MD5
6d7fd25c6fe4087f603b37731e9b8df7

SHA1
54c8d7471075b0aeb71bebf6444597ea53fac85c

SHA256
16f27222c7b5924a8022f292661feea7612efc2e312a13ff880e2e60b43400a7

SHA512
583faefabee19699fda749627f7afcd7d4d30ec90ad87ccf9fb75989d669727158ff616fe685ba75a0a23c183a9fa4285becd7a5df0e4d09418c5742c26b5aff

Download Submit

Analysis

Sharing