b18009130e162c4e1d5d3ba34d1177991bc2e568c646944de2156fa83a5498de

General

Target

0c553458d2c82a41392da47f3875636f.exe
Size

16KB
MD5

0c553458d2c82a41392da47f3875636f
SHA1

6b161017c89c5c0b6da2f7981fc0884909f39ff0
SHA256

b18009130e162c4e1d5d3ba34d1177991bc2e568c646944de2156fa83a5498de
SHA512

d2bab160fa704ccbbeac4542fd32f85fd644e3fe3d74f227172196d0d3b942281447a5a196a3433a173f88bda6bdef8466047cb94905228dfacdcd6556ed7e39
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlu3h+X:hDXWipuE+K3/SSHgxmlu3h6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	0c553458d2c82a41392da47f3875636f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM5FF2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMB8E0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM10D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM680C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMBF25.exe

Executes dropped EXE 6 IoCs

pid	Process
2380	DEM5FF2.exe
2824	DEMB8E0.exe
4472	DEM10D4.exe
4324	DEM680C.exe
3672	DEMBF25.exe
1932	DEM15EF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2380	1332	0c553458d2c82a41392da47f3875636f.exe	92
PID 1332 wrote to memory of 2380	1332	0c553458d2c82a41392da47f3875636f.exe	92
PID 1332 wrote to memory of 2380	1332	0c553458d2c82a41392da47f3875636f.exe	92
PID 2380 wrote to memory of 2824	2380	DEM5FF2.exe	97
PID 2380 wrote to memory of 2824	2380	DEM5FF2.exe	97
PID 2380 wrote to memory of 2824	2380	DEM5FF2.exe	97
PID 2824 wrote to memory of 4472	2824	DEMB8E0.exe	99
PID 2824 wrote to memory of 4472	2824	DEMB8E0.exe	99
PID 2824 wrote to memory of 4472	2824	DEMB8E0.exe	99
PID 4472 wrote to memory of 4324	4472	DEM10D4.exe	101
PID 4472 wrote to memory of 4324	4472	DEM10D4.exe	101
PID 4472 wrote to memory of 4324	4472	DEM10D4.exe	101
PID 4324 wrote to memory of 3672	4324	DEM680C.exe	103
PID 4324 wrote to memory of 3672	4324	DEM680C.exe	103
PID 4324 wrote to memory of 3672	4324	DEM680C.exe	103
PID 3672 wrote to memory of 1932	3672	DEMBF25.exe	105
PID 3672 wrote to memory of 1932	3672	DEMBF25.exe	105
PID 3672 wrote to memory of 1932	3672	DEMBF25.exe	105

C:\Users\Admin\AppData\Local\Temp\0c553458d2c82a41392da47f3875636f.exe
"C:\Users\Admin\AppData\Local\Temp\0c553458d2c82a41392da47f3875636f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\DEM5FF2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5FF2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\DEM10D4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM10D4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\DEM680C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM680C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Users\Admin\AppData\Local\Temp\DEMBF25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF25.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\DEM15EF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM15EF.exe"
        7⤵
        Executes dropped EXE
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10D4.exe

Filesize
16KB

MD5
6b0ba760a847df79354584f1e1641c32

SHA1
69d3c3c4ff1e91fb290e951e2edaf53eaeddfe3d

SHA256
c6ea97fed23b6cf250ea20381bf504690a90c8341db5eac9f5a1c15a6db2e187

SHA512
c67d72bde7771097fff843c099c8ae02c47561154eddd819b45f69a808214dc2467f673fefe55a2fea853a1fb460bca81a234335656ad2c0f7e0cbfd4324d829

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM15EF.exe

Filesize
16KB

MD5
2d35f53a31f1e0d47b560940360f0a46

SHA1
6f4a463fa5b2d2bbec8ae6f4f80a539c64b0d1ed

SHA256
12ca1135192f6784021f89e348c224cb090de9abfdce45d96d44561b737648b1

SHA512
b64d92b875514f0623d174a2df746900837b2784bbec09038f45d48ef760eddb7cfdfa558f51e3b8a0e76705e57b37add36d65e18de06cf22c0555cdd00139f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5FF2.exe

Filesize
16KB

MD5
a164d8c0b42c375b6f1c62520fbfb644

SHA1
f880dca494556a12ecbb9a9f387111f5336cd34a

SHA256
85a5e7843e0363dd30413526cfe87a260e025c35d14e94da063c983791a33ce6

SHA512
eb3b9357f72247a63f70b00d4b68088f872529d305f31534d69b261bb895d86a3091d8db6bd7b6c8f0850200bcc948ef00e2fc06e63a6f779807e3d124212068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM680C.exe

Filesize
16KB

MD5
2dc343f639b3b9683f7c4c54cd784f79

SHA1
dd00cc31ed107208b1c6c1f9ec4189edac0c0cbc

SHA256
679adf8ce35ff4afdf08e550aa969e9519482f85e744547b5c43f741e15d86b3

SHA512
68994657227912cbd2952f2f976a0063429b8a43ff926886d95b90b6a89a4b6cf412c0aa7bc226c925ef96fb4b91f8c7fd7914207731dd92bee4cdd5d6044089

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB8E0.exe

Filesize
16KB

MD5
92a868e82a1770d87aada26e37aa57ca

SHA1
1d58727e7cde2a3fa0f0793085cba6ffc3bf714d

SHA256
f55dc11a5af8a06dc8ffaf37c615a9b1eafa5efb7f1d55096cf6b2281d1c1ed0

SHA512
dff1c318eeeeb6ef25f64dd435445f01898736e068ac7e6793c0733c631a490676603aa8f061364124707afe17d79d63a86031d60848996b0e58f6178efde16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF25.exe

Filesize
16KB

MD5
11f48189ebad3dc1a4140d41d299b999

SHA1
edc85777044bfedc51fa51d23ec43b57733e58b8

SHA256
6d5e440037d999e9fbe834dfb78aab8842972cd1166258af678b8fe41de22ace

SHA512
40f3fc537daf5e5671abd54724697c5f0b87c7ae330b29c48bb8efbd8435abd2c0a7c3b003013266d0a22e8211089998b5813379392fb50d2acb55a271c59cb6

Download Submit

Analysis

Sharing