52f599ca3e64a727bd0e61b893a6b987d81e9936786c6c64add5a40a8edc5f57

General

Target

18640d585a56dd04f65decc560929682.exe
Size

14KB
MD5

18640d585a56dd04f65decc560929682
SHA1

bb14b0c39ea91a4b262acc6dd3091613b23c100b
SHA256

52f599ca3e64a727bd0e61b893a6b987d81e9936786c6c64add5a40a8edc5f57
SHA512

c6c4569a19d08241e1a714447f4292d05be16cbfd4b1b6451783267ae0910cea1f160b62b3252985d7419f84b7f153cd998d5ae79fa93f5dcc781f1271ecc97a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhgAHm:hDXWipuE+K3/SSHgxSAG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMC85C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	18640d585a56dd04f65decc560929682.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM6BE9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMC311.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM1930.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM7088.exe

Executes dropped EXE 6 IoCs

pid	Process
2468	DEM6BE9.exe
4060	DEMC311.exe
3168	DEM1930.exe
680	DEM7088.exe
3068	DEMC85C.exe
808	DEM205F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2468	4692	18640d585a56dd04f65decc560929682.exe	93
PID 4692 wrote to memory of 2468	4692	18640d585a56dd04f65decc560929682.exe	93
PID 4692 wrote to memory of 2468	4692	18640d585a56dd04f65decc560929682.exe	93
PID 2468 wrote to memory of 4060	2468	DEM6BE9.exe	98
PID 2468 wrote to memory of 4060	2468	DEM6BE9.exe	98
PID 2468 wrote to memory of 4060	2468	DEM6BE9.exe	98
PID 4060 wrote to memory of 3168	4060	DEMC311.exe	100
PID 4060 wrote to memory of 3168	4060	DEMC311.exe	100
PID 4060 wrote to memory of 3168	4060	DEMC311.exe	100
PID 3168 wrote to memory of 680	3168	DEM1930.exe	102
PID 3168 wrote to memory of 680	3168	DEM1930.exe	102
PID 3168 wrote to memory of 680	3168	DEM1930.exe	102
PID 680 wrote to memory of 3068	680	DEM7088.exe	104
PID 680 wrote to memory of 3068	680	DEM7088.exe	104
PID 680 wrote to memory of 3068	680	DEM7088.exe	104
PID 3068 wrote to memory of 808	3068	DEMC85C.exe	106
PID 3068 wrote to memory of 808	3068	DEMC85C.exe	106
PID 3068 wrote to memory of 808	3068	DEMC85C.exe	106

C:\Users\Admin\AppData\Local\Temp\18640d585a56dd04f65decc560929682.exe
"C:\Users\Admin\AppData\Local\Temp\18640d585a56dd04f65decc560929682.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\DEM6BE9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6BE9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\DEMC311.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC311.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\DEM1930.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1930.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\DEM7088.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7088.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\DEMC85C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC85C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\DEM205F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM205F.exe"
        7⤵
        Executes dropped EXE
        
        PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1930.exe

Filesize
14KB

MD5
5d7fba3cc2d805e48bb9f19bf0834e4b

SHA1
b399f30c5bb9653cee48df3a992b4746819f6a1e

SHA256
45f41fb253bd551d1f3cb57a6052d3f40c2a793e4ec05eb803d4472957b0afc4

SHA512
7127fe71ba19fd8c4e5cc7729b70bc12c6f87551075cffdd3c2725dba7bfe3514b5d6e29f8865a754a84cd0ccd0ecd30bf945ff567acbafe1607ea0090277c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM205F.exe

Filesize
14KB

MD5
8ec4b648194f87987f3e2da06dcf8972

SHA1
6df2696f242bdd9baf9fe938be848550018f0f42

SHA256
28cb4cddb9c889529ad40733e2e8e009c098194c5acb4cb795fefeac51469f96

SHA512
7f03dcf13f1e56d6fd5739e5bc4845e08111b822cf621fb73e3729f5d27a04ef56b41d63da6664ca752bfc911427fe488738ce831f6d20d970bd1ca15173891d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6BE9.exe

Filesize
14KB

MD5
e3b23be21254abe277ce355593e5bd89

SHA1
f08a01d9233282b08500748d94e6c611d902aebb

SHA256
c91d580ae7d5ca213f73f30310633abc9c5ccd61c554d42a46aad28ab8c95ca8

SHA512
eb1f8a7b082e4e6ad06f97785cf5e635b9d53323c7b95eccf3ec2fd2c812762a11df786993f392c7c9b906a2c0f49749a3bf580bab8259f92900912a80ad6e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7088.exe

Filesize
14KB

MD5
7bc240371fce1f6a779c2a5d2d46f388

SHA1
5ca02c16eeefcbf8444776480cd377ef36ac3b1a

SHA256
f537bf024861926f5d9af0da06ba849e1ff6dea68af3ff30e13fccb205f58b91

SHA512
d83ef8d1b61a7c31451b72e5b012567fd924884c4c9018f0d9c6f6cd35d5099615e5d008e3a3014d7af680a3f4d3825ab1c675da5c57806ae475e4a9e3ea9691

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC311.exe

Filesize
14KB

MD5
c3c86cf48ca822b921af614b78bb76dc

SHA1
d986a80b79d6c86b855d0113940ac9067dbd1ad7

SHA256
9cf354a1de7dea89bda2e84b7931b33937df8e3b910216e7d94fc7d2e155e3df

SHA512
761fc1e3ca0befac15300c9b018b1245e99bb68e4abba95ced9149a01a2517d4148418013970733b408850732f8d1b8842eb63ec7b5ab539bef6238492146e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC85C.exe

Filesize
14KB

MD5
3120269a1c72ffde4c672ae3bf767889

SHA1
926d7b23b005e459d4d0e03069a9611ae7876ada

SHA256
ce36eab149dd86ed89f837e2f1628d32b69ad172c3018a2bca12c48d05e0bd73

SHA512
d28bd7ef047197656765ea083c241d10ba8865bd9fc1f5b120f0fabfc88dc481567c5ac950071a215c97a8f8bb844f1509c8709fc81b126fbe548a5cc25834fa

Download Submit

Analysis

Sharing