4b4c33ab6d86f27b8b195fa3f04fe56f97bbbd04d3d617e34404889ca42e1a4f

General

Target

111819ec6e18a572a22d398a7c15714b.exe
Size

14KB
MD5

111819ec6e18a572a22d398a7c15714b
SHA1

5042502f0968dda1181098c9def082580561d7d5
SHA256

4b4c33ab6d86f27b8b195fa3f04fe56f97bbbd04d3d617e34404889ca42e1a4f
SHA512

f1610fc327418e576b584a0ef7ae0aad060e2eb0b1b6285da4f4c3b9003f8b35e7680c268ed66e4efffcf979631b4249deec3abff75e84cfd795d68bc390d309
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5H:hDXWipuE+K3/SSHgxmF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	111819ec6e18a572a22d398a7c15714b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM7B1B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMD32E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM2AE3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEM825A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	DEMDA9C.exe

Executes dropped EXE 6 IoCs

pid	Process
1908	DEM7B1B.exe
1188	DEMD32E.exe
5080	DEM2AE3.exe
1452	DEM825A.exe
3860	DEMDA9C.exe
1788	DEM329F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1908	1408	111819ec6e18a572a22d398a7c15714b.exe	93
PID 1408 wrote to memory of 1908	1408	111819ec6e18a572a22d398a7c15714b.exe	93
PID 1408 wrote to memory of 1908	1408	111819ec6e18a572a22d398a7c15714b.exe	93
PID 1908 wrote to memory of 1188	1908	DEM7B1B.exe	98
PID 1908 wrote to memory of 1188	1908	DEM7B1B.exe	98
PID 1908 wrote to memory of 1188	1908	DEM7B1B.exe	98
PID 1188 wrote to memory of 5080	1188	DEMD32E.exe	100
PID 1188 wrote to memory of 5080	1188	DEMD32E.exe	100
PID 1188 wrote to memory of 5080	1188	DEMD32E.exe	100
PID 5080 wrote to memory of 1452	5080	DEM2AE3.exe	102
PID 5080 wrote to memory of 1452	5080	DEM2AE3.exe	102
PID 5080 wrote to memory of 1452	5080	DEM2AE3.exe	102
PID 1452 wrote to memory of 3860	1452	DEM825A.exe	104
PID 1452 wrote to memory of 3860	1452	DEM825A.exe	104
PID 1452 wrote to memory of 3860	1452	DEM825A.exe	104
PID 3860 wrote to memory of 1788	3860	DEMDA9C.exe	106
PID 3860 wrote to memory of 1788	3860	DEMDA9C.exe	106
PID 3860 wrote to memory of 1788	3860	DEMDA9C.exe	106

C:\Users\Admin\AppData\Local\Temp\111819ec6e18a572a22d398a7c15714b.exe
"C:\Users\Admin\AppData\Local\Temp\111819ec6e18a572a22d398a7c15714b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\DEM7B1B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B1B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\DEMD32E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD32E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\DEM2AE3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2AE3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\DEM825A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM825A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\DEMDA9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDA9C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\DEM329F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM329F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2AE3.exe

Filesize
14KB

MD5
1b10e8d56ee8b2bc660c6477470fa196

SHA1
ee7afa3f9aa6d7e5325b6328abf79666fa1e017c

SHA256
0f44bbbe1321db788aa3a8e3ec9d4f919635165d70eb9283fcbebcbd49c95db2

SHA512
2b898ab95ba829da26315ed280dc2e9581642c17a146f5f7b7b2a02068d96c7b62816bfabc456a438e80f5147786c7aed54d58654447567f8c72df6a3a465c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM329F.exe

Filesize
14KB

MD5
31909d8af818faff7125dd8fdd9178fe

SHA1
e8cb2adb03535f8ba3be94d4c51d19a44b5d4ad1

SHA256
03124038ec31418d763895350be991fc1d8e14c98bfbff3dc998b819a567551a

SHA512
640544e44a740fa2bd73cb2dfdb141c03882db30dc4446ba841a308428d30d1eec557cc6991588e8ecdc83bd3cb6a81a148a2b136dd71cd260a3e66c0b3861c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B1B.exe

Filesize
14KB

MD5
bd981169a8d51b661f3bfa5c2fd5027c

SHA1
e6c6706641e88989f8ecf230d7f66d1022801612

SHA256
8f865051a92d2be48680fa7882e6ebabba28dd03ebace5b8bdee50430cb310c8

SHA512
dd423e5f9d6df9f03869917c72b3cdef4089ba2dadbc5a4ffa57b470dd9a91891a3542a363c2ad5e193bb7cab71c71502b08916a36adc6098e6995d1d0540967

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM825A.exe

Filesize
14KB

MD5
fb0a916fc3a4cccfcba427961e320645

SHA1
6f3f66c6349c2f8a0f791b6ea7134e8b37f6afc7

SHA256
fcc1e2683eaa5e48737e4f997ffadde2ce200c829434602f349e564282a30478

SHA512
dfcababadf11b9a663cd940fa6da2cb27d2b0930334a4ad6214daca9ec9da7d026183e05ee579671f126148d99c6ad12d1b04c48c7c1c7579b6ab632355663e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD32E.exe

Filesize
14KB

MD5
435337581ee48866f739cdf724b2f1d0

SHA1
c350389142ea01e71b086e934aadbf1da2a4f26d

SHA256
fe15736c054503de38f0bb99426996f9e013aed8064085a98b459b8cbb4f0c40

SHA512
c19924f9ef09f24b0465b8646897c93b6dab5f046db207699e8d393042dd0e7624b970acf85f989c90a9c3c08504c7e119c2ec242df1d3c787f36b74329b7fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA9C.exe

Filesize
14KB

MD5
125287aa569603fe47407ea6965441b5

SHA1
a77471c9ca26755a990fb158188446c58b1024e7

SHA256
8e695c1e355943e3650e37eeec3b1a2fc707193a7d715497bcc5deca5066ee6f

SHA512
9bae599153af31f120ad3023d35612047fa7f483e43c0bc86a7edad4b0d8aecf3379c65ba4ef2948cf67901e760aad497870fc76a04baa4edc019d23d5a8338c

Download Submit

Analysis

Sharing