376bdff602070ba3904dc35629576287cb631872acf58097171e8721f25c86b4

General

Target

0dc03018dd94bdeee6a243af7e4c3ce0.exe
Size

14KB
MD5

0dc03018dd94bdeee6a243af7e4c3ce0
SHA1

bb6bdf5b2b8ca82c512845472f26e809f6e7a316
SHA256

376bdff602070ba3904dc35629576287cb631872acf58097171e8721f25c86b4
SHA512

f42077ba755212d6d5bb8d2f9c47314e1505c0a041ed32b742020a46f221df5c5786080a98120e022ad8a159ccf793981c00122a187ff684b4a062f8b34c28d2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cny:hDXWipuE+K3/SSHgx/y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEMA08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM622B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	0dc03018dd94bdeee6a243af7e4c3ce0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM4745.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEMB1C7.exe

Executes dropped EXE 5 IoCs

pid	Process
3860	DEM4745.exe
3616	DEMB1C7.exe
3664	DEMA08.exe
3452	DEM622B.exe
1944	DEMBABB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3860	1128	0dc03018dd94bdeee6a243af7e4c3ce0.exe	94
PID 1128 wrote to memory of 3860	1128	0dc03018dd94bdeee6a243af7e4c3ce0.exe	94
PID 1128 wrote to memory of 3860	1128	0dc03018dd94bdeee6a243af7e4c3ce0.exe	94
PID 3860 wrote to memory of 3616	3860	DEM4745.exe	98
PID 3860 wrote to memory of 3616	3860	DEM4745.exe	98
PID 3860 wrote to memory of 3616	3860	DEM4745.exe	98
PID 3616 wrote to memory of 3664	3616	DEMB1C7.exe	100
PID 3616 wrote to memory of 3664	3616	DEMB1C7.exe	100
PID 3616 wrote to memory of 3664	3616	DEMB1C7.exe	100
PID 3664 wrote to memory of 3452	3664	DEMA08.exe	102
PID 3664 wrote to memory of 3452	3664	DEMA08.exe	102
PID 3664 wrote to memory of 3452	3664	DEMA08.exe	102
PID 3452 wrote to memory of 1944	3452	DEM622B.exe	104
PID 3452 wrote to memory of 1944	3452	DEM622B.exe	104
PID 3452 wrote to memory of 1944	3452	DEM622B.exe	104

C:\Users\Admin\AppData\Local\Temp\0dc03018dd94bdeee6a243af7e4c3ce0.exe
"C:\Users\Admin\AppData\Local\Temp\0dc03018dd94bdeee6a243af7e4c3ce0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\DEM4745.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4745.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\DEMB1C7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB1C7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\DEMA08.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA08.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\DEM622B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM622B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Users\Admin\AppData\Local\Temp\DEMBABB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBABB.exe"
        6⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4745.exe

Filesize
14KB

MD5
62679291a6c9c4c756ff38d4ff281252

SHA1
9ae86f740f0093b70c0f27828343b7e6047474c9

SHA256
79a1978e83dab82b8083d27ebc2a701c2e46bc40bf0db256f396ff6d58edbaab

SHA512
5d83b374bb465e1554bd43eb730f1af3b21935029edc64107414927e6d47de04d577471fdeced0f2ffd9c987460a687b9d2168db55ef7e77c75c2e771d7899a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM622B.exe

Filesize
14KB

MD5
a9ab7343d2c1f732bf456f352f270f54

SHA1
c03d157de5bace427ba1d99db2c272f4cf1544f8

SHA256
865e2a77e6ba9b3b612ab35aeaa4cd43d4c0319ab02bd61c80d0dafa0bd763b2

SHA512
7e35d7d3497252c5a0ab9c7f850b798188e20fea8561ea3f4c348f8a815775043b3c13f9d2e77665ff9f4aeffb02ecb2b35591b68bb4e0a3145a4fa5fa826dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA08.exe

Filesize
14KB

MD5
97bb8045440359e1ad6dcf56721f1eb5

SHA1
4a11c0bbc2d3a56f0f0513432acf8a0589e31685

SHA256
c02d92fcb14880cf57007dbd5c12bf07dcd35230bdf51363a6a86dbe720f51dc

SHA512
180841774648409bde7de9ea7d746e667ecfe8b297ed9718a7198ef229094e1bc8e0b2468ad2f7de5670355ddd393077135ffa566a6aae5da9b3ec18bfe7a6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1C7.exe

Filesize
14KB

MD5
0979dcec3c9812ffb40eb4e32fc8037b

SHA1
92e92bcc429de1b5de731b00e67ed8e39e2ab78d

SHA256
87177633fc08ee91cc2ea1029ab76b63cc045e5af5cb3399ff2892a2716c1f79

SHA512
38258a098a4647f9d60b12fc9356f345b89c860e141e1dba0650a37005b42969eed3582c84bfdb91203240fd671f6fb19912e6eaf4ff7bbd7ac48c1e7b7a1ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBABB.exe

Filesize
14KB

MD5
57beb692ac8b4acd7e01f24974fb7246

SHA1
36974c9f8e66b57d393e4c5639e14aa15d0bbdd6

SHA256
645c3d919c1cc8ae79fc15d2db32ebe638fc93d884d1b8c4472650e9efe796c8

SHA512
7c2d929cbb22d14707fdfd542fb3b2eda02c5d9e0ff76ebebb234b261c4be1766da17f93d299bf6b0dfcdc46588ff59d2ec6fec31c1673bea4ecbc53ee6be2c9

Download Submit

Analysis

Sharing