8dea97e974422a96d6e1f8b6299d2d2ce8ccc1c15fd9a02c0502db65bdd67dd3

General

Target

198421b2852793b18758617a2576fcfc.exe
Size

14KB
MD5

198421b2852793b18758617a2576fcfc
SHA1

ecc049d89d57b82b6d23814792a8096bf942f51a
SHA256

8dea97e974422a96d6e1f8b6299d2d2ce8ccc1c15fd9a02c0502db65bdd67dd3
SHA512

ce7cc0f881872bd96cdcdcea78fe75bf5ec1dbdc009c89b7e5a2a5095e65a2fa6bd8530adc83c6af6bad4c41db4103084d0f36eee9bb5606fd47b045e2e5760a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pj+F:hDXWipuE+K3/SSHgx49W

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	198421b2852793b18758617a2576fcfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM97EA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMF0D8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM488D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM9F68.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMF6A0.exe

Executes dropped EXE 6 IoCs

pid	Process
1424	DEM97EA.exe
1216	DEMF0D8.exe
4964	DEM488D.exe
884	DEM9F68.exe
1944	DEMF6A0.exe
3892	DEM4E45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1424	4920	198421b2852793b18758617a2576fcfc.exe	93
PID 4920 wrote to memory of 1424	4920	198421b2852793b18758617a2576fcfc.exe	93
PID 4920 wrote to memory of 1424	4920	198421b2852793b18758617a2576fcfc.exe	93
PID 1424 wrote to memory of 1216	1424	DEM97EA.exe	99
PID 1424 wrote to memory of 1216	1424	DEM97EA.exe	99
PID 1424 wrote to memory of 1216	1424	DEM97EA.exe	99
PID 1216 wrote to memory of 4964	1216	DEMF0D8.exe	101
PID 1216 wrote to memory of 4964	1216	DEMF0D8.exe	101
PID 1216 wrote to memory of 4964	1216	DEMF0D8.exe	101
PID 4964 wrote to memory of 884	4964	DEM488D.exe	104
PID 4964 wrote to memory of 884	4964	DEM488D.exe	104
PID 4964 wrote to memory of 884	4964	DEM488D.exe	104
PID 884 wrote to memory of 1944	884	DEM9F68.exe	105
PID 884 wrote to memory of 1944	884	DEM9F68.exe	105
PID 884 wrote to memory of 1944	884	DEM9F68.exe	105
PID 1944 wrote to memory of 3892	1944	DEMF6A0.exe	107
PID 1944 wrote to memory of 3892	1944	DEMF6A0.exe	107
PID 1944 wrote to memory of 3892	1944	DEMF6A0.exe	107

C:\Users\Admin\AppData\Local\Temp\198421b2852793b18758617a2576fcfc.exe
"C:\Users\Admin\AppData\Local\Temp\198421b2852793b18758617a2576fcfc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\DEM97EA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM97EA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\DEMF0D8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF0D8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\DEM488D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM488D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\DEM9F68.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F68.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\DEMF6A0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF6A0.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\DEM4E45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4E45.exe"
        7⤵
        Executes dropped EXE
        
        PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM488D.exe

Filesize
14KB

MD5
55791a4a596889094c8a6298045914e9

SHA1
d471b06b7753bbbfa25f3408e2ff454ff4dd7e46

SHA256
3c86447e8f8c8acd5c3285d9a2f718ed6a337a4c2c2c3566a711c7b82a64bf05

SHA512
6c1cd752f5ff6fcbd9da852076adacec6ce732233e5a0704370ec6da3ccbb7369008d52c9b20e854140827a1748e63245c5d7fa1205b7f288ea199f0a9a74f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4E45.exe

Filesize
14KB

MD5
68f22617b99d2e4465a1080e70f5fa70

SHA1
3627a1ff653e1dadc401f5a31663417429955190

SHA256
5e8508889e4f42886ac34dbe978c7bb9d55eaa589164aa5060de8eda4cac1cf5

SHA512
bdea8e3c4cdf033b358dbd3660b132216e080a0064cf2b71870f29eb80496d59828b53e3d7de539680e5756818757bf6bf013874ba694450fe82c522472bb506

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM97EA.exe

Filesize
14KB

MD5
7dce78b709eb7f1e73bd540c6f82051a

SHA1
69ee080a225545334ebc09c4688221d68560f122

SHA256
2b586417b4a602b1b41d2b4596e607372c1aa12e21dc5bc8421e3acc2533556a

SHA512
3e15b5ee3f8e0ae160d7a9488b8641b5244650347813f7ce38f65c6ddc7b83e903eca6aa3844407ea98d87d0cddca6c0e599c4df11cb02bcfa2cf1f13b0b141c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F68.exe

Filesize
14KB

MD5
08806130bc81c0ea181f81284b4c702d

SHA1
51d780a52995a731795e6a2c87e93f7c7729d79e

SHA256
174dac35f9a10c2b993cffcf9ce0e5f406318df86147dad3349dc8be48126a16

SHA512
c2aed99af8fc7da0529f7dc329963482a7999e66e4bb96a6253dc2075e78ec67d1c59c1a38f2c1ef6652607f58b287bc56437bd446d4847608b9620776bae797

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0D8.exe

Filesize
14KB

MD5
8ea760f676bbcb9ee3244d4fb8a6341f

SHA1
745958431a4a475049f06f5dc47278ff920114a4

SHA256
faea9917e497da2a5fa1548ea093009f312ac00b4a46257d5845e0256f583401

SHA512
14a25b0a6efd511b527c0f153b2257950b497a57358c3546eb70f75f6be345a66f570b1cd31542ed8884e6f52c252d6929e338418fff1be67082cf5ad870f55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF6A0.exe

Filesize
14KB

MD5
c47dca146ac3615c0503c66fecc8847d

SHA1
36bfe14d6959e1add06e70ed5f52b9b78e8e499d

SHA256
4b058f7a4a02a53c2f0e8c53063f1283676c352ca079032e0ff9c0d5389920b0

SHA512
ac2290ac9c619a6e0785f83dabdb7e2ca63d71b72935ad856f97b59502b07acc34d560e8d26bcbe0e5804e9ba3369f6687a9dfd3d78bb2a9eca1eca39dd37636

Download Submit

Analysis

Sharing