699bcfcbced15c4bea4320ada939072b82c93a8263ee18caf2f66dacff8223ec

General

Target

0d320338547912a20ae2209247d99265.exe
Size

16KB
MD5

0d320338547912a20ae2209247d99265
SHA1

91ddb05090a4841e1739cfc06847e444cb20a4f4
SHA256

699bcfcbced15c4bea4320ada939072b82c93a8263ee18caf2f66dacff8223ec
SHA512

e5ca38a4a671e3fc7638f73718f0a9d75ac51c04c90c40c264808c316c8aa20e90a229fd9be83013469140f829ed51d50bdb0967a06226ca66c689f404e7f7a5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY+SmZU:hDXWipuE+K3/SSHgxm+LW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	0d320338547912a20ae2209247d99265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM99DE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMF397.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM4B7B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMA2E2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMFA68.exe

Executes dropped EXE 6 IoCs

pid	Process
3924	DEM99DE.exe
880	DEMF397.exe
220	DEM4B7B.exe
1124	DEMA2E2.exe
3260	DEMFA68.exe
4052	DEM5143.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3924	4476	0d320338547912a20ae2209247d99265.exe	92
PID 4476 wrote to memory of 3924	4476	0d320338547912a20ae2209247d99265.exe	92
PID 4476 wrote to memory of 3924	4476	0d320338547912a20ae2209247d99265.exe	92
PID 3924 wrote to memory of 880	3924	DEM99DE.exe	98
PID 3924 wrote to memory of 880	3924	DEM99DE.exe	98
PID 3924 wrote to memory of 880	3924	DEM99DE.exe	98
PID 880 wrote to memory of 220	880	DEMF397.exe	100
PID 880 wrote to memory of 220	880	DEMF397.exe	100
PID 880 wrote to memory of 220	880	DEMF397.exe	100
PID 220 wrote to memory of 1124	220	DEM4B7B.exe	102
PID 220 wrote to memory of 1124	220	DEM4B7B.exe	102
PID 220 wrote to memory of 1124	220	DEM4B7B.exe	102
PID 1124 wrote to memory of 3260	1124	DEMA2E2.exe	104
PID 1124 wrote to memory of 3260	1124	DEMA2E2.exe	104
PID 1124 wrote to memory of 3260	1124	DEMA2E2.exe	104
PID 3260 wrote to memory of 4052	3260	DEMFA68.exe	106
PID 3260 wrote to memory of 4052	3260	DEMFA68.exe	106
PID 3260 wrote to memory of 4052	3260	DEMFA68.exe	106

C:\Users\Admin\AppData\Local\Temp\0d320338547912a20ae2209247d99265.exe
"C:\Users\Admin\AppData\Local\Temp\0d320338547912a20ae2209247d99265.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\DEM99DE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM99DE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\DEMF397.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF397.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\DEM4B7B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4B7B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\DEMA2E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA2E2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\DEMFA68.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA68.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\DEM5143.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5143.exe"
        7⤵
        Executes dropped EXE
        
        PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4B7B.exe

Filesize
16KB

MD5
9b64e886bdced9917dfa5dfcb4d39a76

SHA1
0cc6afc2c18697c3d71b859df441dab7b6f05efb

SHA256
9be89d99eafda7cd6c8d7b7e1e11299b626f32825332e98162c2fd87114116f8

SHA512
b855c00b0f7e662df06ff717c40df1ce91e217d7ff36ab78c125b87d9badff95066dd35650f58e8e8433ab27d10775d984f207060d1e1798b52bd2e43235c1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5143.exe

Filesize
16KB

MD5
cfe617adc170bb01938b0c817f07db41

SHA1
7c0ccc68d95f9e46d2adc8c8336272b3bc0f7548

SHA256
bdc9bdbc4064d976634ff19ecd4efe4289990525dfda9365c75dcfdde77ac728

SHA512
cf4ceb065db2adc0d0b0d9e12b0c38f1e041e7869a2ee23009bca3d4238c3f6f61942add446fb83d55045ff546556a2c64d57108f90e37558929d1fb34f5b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99DE.exe

Filesize
16KB

MD5
8342277829b8db91cdf2d001b8ecf1c8

SHA1
1fd4030f7bceb16f650da66530ed90d33a4bda30

SHA256
136303428bb210fd1f405f4f95ced0b21de24d7f54089acf25c2a94d2b715ccc

SHA512
03f5c51edddc8e7967447f2dd0031af4feeb5b4ac9194554c0084b268ea58e77771d468399fa208d8a8163e95e35338184d3242effad590cdc8af9936eb5ea92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2E2.exe

Filesize
16KB

MD5
bc60928c1204c68d51a2d38a6fa08e35

SHA1
384815b5dda9991116c207de5b812bd5e4801400

SHA256
375be600b0d5414a310304f5b38c7072df8e467612fac63a0dea2526f4f4cfd1

SHA512
476bd95305c32603d461c777432946234d45e3c5a8c1d4fd5c2ba7a0896e5f507f2a854f84530921ccef77bc567fa71cd317399009e14e90a77df7b9ef32bf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF397.exe

Filesize
16KB

MD5
84d4ab85e526712cef3bb1bb4b808559

SHA1
8793df88946681560b433d27d047fd1867638c69

SHA256
ca6f4582e708c947db16cbc3e9a123cbf7c7c7431c55533617de116463fafad1

SHA512
0ea1040a20ea2b1d48bd75a53b2d82b817deb226439c04637feb35662144dcafa4bcaf1dd47e963a470b2ae48987fbcfbd2e96acc305a45e13cb1613bb233efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA68.exe

Filesize
16KB

MD5
a79d813607b6dc5e9a695658b73db882

SHA1
204b90b19b810823279120f34dc4816b339d1ec0

SHA256
aca0fa6d1c357fecc8874f2731b3f4bfa780ef1b698338bf220c5c0ae644d6c0

SHA512
2984a59cabae9f2d2cc6f967d576a0c0adf6224f480239dc89832949bae9c881df1743b3ad5e20d7a46ef935b091ab70f8ff1778dbb2ddd250d58944d2000cf3

Download Submit

Analysis

Sharing