2e70952c8679467204afb7ce43122500e65a90b73b54ad8471e8abf0064a4894

General

Target

18f1828fb78835c41928987fe248c676.exe
Size

15KB
MD5

18f1828fb78835c41928987fe248c676
SHA1

f1c59798423719eec1d451671902d978f455a7a4
SHA256

2e70952c8679467204afb7ce43122500e65a90b73b54ad8471e8abf0064a4894
SHA512

56849e7cbb4c2ecd4ed1ddfefe83d04ce753b920dda396228cab1aab0a9e0d1c214970bb38587fd27445cb04f37d6a33a862094ae8836c331fcd9c7177dd7e23
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxj6:hDXWipuE+K3/SSHgxmHp6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	DEMEE91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	18f1828fb78835c41928987fe248c676.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	DEM8F01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	DEME7B0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	DEM3F75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	DEM96EC.exe

Executes dropped EXE 6 IoCs

pid	Process
1916	DEM8F01.exe
952	DEME7B0.exe
876	DEM3F75.exe
880	DEM96EC.exe
4600	DEMEE91.exe
4568	DEM4694.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1916	4956	18f1828fb78835c41928987fe248c676.exe	95
PID 4956 wrote to memory of 1916	4956	18f1828fb78835c41928987fe248c676.exe	95
PID 4956 wrote to memory of 1916	4956	18f1828fb78835c41928987fe248c676.exe	95
PID 1916 wrote to memory of 952	1916	DEM8F01.exe	98
PID 1916 wrote to memory of 952	1916	DEM8F01.exe	98
PID 1916 wrote to memory of 952	1916	DEM8F01.exe	98
PID 952 wrote to memory of 876	952	DEME7B0.exe	100
PID 952 wrote to memory of 876	952	DEME7B0.exe	100
PID 952 wrote to memory of 876	952	DEME7B0.exe	100
PID 876 wrote to memory of 880	876	DEM3F75.exe	102
PID 876 wrote to memory of 880	876	DEM3F75.exe	102
PID 876 wrote to memory of 880	876	DEM3F75.exe	102
PID 880 wrote to memory of 4600	880	DEM96EC.exe	104
PID 880 wrote to memory of 4600	880	DEM96EC.exe	104
PID 880 wrote to memory of 4600	880	DEM96EC.exe	104
PID 4600 wrote to memory of 4568	4600	DEMEE91.exe	106
PID 4600 wrote to memory of 4568	4600	DEMEE91.exe	106
PID 4600 wrote to memory of 4568	4600	DEMEE91.exe	106

C:\Users\Admin\AppData\Local\Temp\18f1828fb78835c41928987fe248c676.exe
"C:\Users\Admin\AppData\Local\Temp\18f1828fb78835c41928987fe248c676.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\DEME7B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME7B0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\DEM3F75.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3F75.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\DEM96EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM96EC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Users\Admin\AppData\Local\Temp\DEMEE91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEE91.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\DEM4694.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4694.exe"
        7⤵
        Executes dropped EXE
        
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F75.exe

Filesize
15KB

MD5
ff4b7e0210ee3af820ae4a075094a2ad

SHA1
9f683fb0db96f55f67b98c7a4573696a5799a638

SHA256
b0c61df251f63c1fc6961946dffbbc2cf66864d853525e65a3accd0fdc0053ae

SHA512
5f4118dcfa75f501ddc6307a0d843250a4159a6c72e1c10ead27ba22964f5525b23ae84c5d969d6664f5fdb334c0a36e4b270305b798fbe1c5df4343e6493149

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4694.exe

Filesize
15KB

MD5
1734e9157c6406028651f502d2337009

SHA1
226d9a0b8bd559bf47ec40036f7c897e7661c57a

SHA256
2c590055c5476985b587306de41838da289855d4c787f1f51a6d99e0360e5dff

SHA512
b739fc39e90fb9c673c1d1ae530f8af2fb8fa90717fdbf24c2bdb02ff8cf0ce6a8ba89a22dc46c772f780cc7cc8f1c0c4f88e5900b82d64c754ab8e87e82d2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8F01.exe

Filesize
15KB

MD5
1313d333ffbacc8d2070059f4d408bf5

SHA1
332aacbc9f248de7a33f0225458f6b685aa5b639

SHA256
746d76d3b1e8c9d12bf1977214bc700ef3a85b8627938196cba2ebc30a973716

SHA512
8bf75b1fcb93f8976baaca988db616af669a73951883b27085ad4d53e7d4d26833580e3e4024b510abf591e7ca22f30bb277e334610c98d36dc04b7555bdbbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96EC.exe

Filesize
15KB

MD5
f5bfaf6a0846cf51baba6825db5275de

SHA1
90ffc498c56daafe14151984ee3020189e812c69

SHA256
9300d356232ccbdcfd4cb343c1f0f7a060ec747cfdd9a74f83a56f2ee13dd72d

SHA512
c4ef6d160c613326cf0bebfa07ead7f80ad13549d080d83b4bf6ff2f50737c077f274191410ac20e8df71f7889929738a0ec60edf779af17a0c4201cc1542486

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME7B0.exe

Filesize
15KB

MD5
bd976c0d8f47603938fbaeb6fb2ccf57

SHA1
2661b769a64eea2bc983a86bb4cd4bfb6e21d90b

SHA256
6c810c081c3a0a0608facf257599bbb19a7d5f81028477367fea4a5e258de223

SHA512
1bd569631557e247bee22415b02547ca3e19bf193c8dfb398a3491824fb3912a9c1d2ee9988ae6763ff797cb5696157676d205e9c5c7ef1fc50f1496c0d441dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEE91.exe

Filesize
15KB

MD5
f7966b2ba859f4f989a03810e2cab4a8

SHA1
dab01e18d70d970fb40620ce3cbcfccb87a8abe3

SHA256
a3e87dcfa42c1b489df5b8d54c50d31b57c75727534290050bce1ed60e370917

SHA512
ff9f62cde6f5f0f2bf18e8fb32916a2e12be3af70b1edb8defb92278422bd20e33cad6624c100436785d516430b265e72f33cb27bffec46a4ada46fd87f5c7a3

Download Submit

Analysis

Sharing