20ea91263c8edb33ccc0e1bcfbe63de96ab88ca2012639c97382ad12535e18e1

General

Target

114a29aa4da23a027a34b2ac2cb2004d.exe
Size

14KB
MD5

114a29aa4da23a027a34b2ac2cb2004d
SHA1

133ad18b523b3319c160952c2da397462cda1374
SHA256

20ea91263c8edb33ccc0e1bcfbe63de96ab88ca2012639c97382ad12535e18e1
SHA512

68de1be49c1a00b25b9d7ecd5e1877af1bc4c7602524a3ebbc1c4fa3f52b6fe8086aae5345de727edfe321078deaf2cbc44f1d213e68ebb150304df318661570
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh8JT:hDXWipuE+K3/SSHgxaT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMFB67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM535B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMAAF1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEM2F4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	114a29aa4da23a027a34b2ac2cb2004d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	DEMA0A5.exe

Executes dropped EXE 6 IoCs

pid	Process
4232	DEMA0A5.exe
1280	DEMFB67.exe
4448	DEM535B.exe
1748	DEMAAF1.exe
3388	DEM2F4.exe
964	DEM5A99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4232	4968	114a29aa4da23a027a34b2ac2cb2004d.exe	93
PID 4968 wrote to memory of 4232	4968	114a29aa4da23a027a34b2ac2cb2004d.exe	93
PID 4968 wrote to memory of 4232	4968	114a29aa4da23a027a34b2ac2cb2004d.exe	93
PID 4232 wrote to memory of 1280	4232	DEMA0A5.exe	98
PID 4232 wrote to memory of 1280	4232	DEMA0A5.exe	98
PID 4232 wrote to memory of 1280	4232	DEMA0A5.exe	98
PID 1280 wrote to memory of 4448	1280	DEMFB67.exe	100
PID 1280 wrote to memory of 4448	1280	DEMFB67.exe	100
PID 1280 wrote to memory of 4448	1280	DEMFB67.exe	100
PID 4448 wrote to memory of 1748	4448	DEM535B.exe	102
PID 4448 wrote to memory of 1748	4448	DEM535B.exe	102
PID 4448 wrote to memory of 1748	4448	DEM535B.exe	102
PID 1748 wrote to memory of 3388	1748	DEMAAF1.exe	104
PID 1748 wrote to memory of 3388	1748	DEMAAF1.exe	104
PID 1748 wrote to memory of 3388	1748	DEMAAF1.exe	104
PID 3388 wrote to memory of 964	3388	DEM2F4.exe	107
PID 3388 wrote to memory of 964	3388	DEM2F4.exe	107
PID 3388 wrote to memory of 964	3388	DEM2F4.exe	107

C:\Users\Admin\AppData\Local\Temp\114a29aa4da23a027a34b2ac2cb2004d.exe
"C:\Users\Admin\AppData\Local\Temp\114a29aa4da23a027a34b2ac2cb2004d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\DEMA0A5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA0A5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\DEMFB67.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFB67.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\DEM535B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM535B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Users\Admin\AppData\Local\Temp\DEMAAF1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAAF1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\DEM2F4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\DEM5A99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5A99.exe"
        7⤵
        Executes dropped EXE
        
        PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2F4.exe

Filesize
14KB

MD5
9d34007a7b1772f297eae80a91d1e135

SHA1
dcaf979cf2e6defb978e44ef33c435dbf1c8b6a9

SHA256
6b1350c75c6df75b9f3a8ed1cdfc1701c17f0c8db33a33a7ec3a61ccde5bcecb

SHA512
3989d355b5eaac700f66d78c5990a05a84cc51daa48e397a786b2995c9cc41613d9596e689544d41eb4360cf0eccafe3e1570a31e05db0380c6861df57d8f767

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM535B.exe

Filesize
14KB

MD5
12744e202a15cb679312e57baea6993a

SHA1
c8ec7a22217c3ec99dbfad91aa38bde8fb5a7660

SHA256
4afbc6234ef4cb1cca1539dddf653a8badcb01b81ffd211eda28be7c4f0295cf

SHA512
a0c7dc3f91bc2b291501f4502cf4e340c383ff95498233a5d580972b7e681de301658ae7b32e8a6abab1496d91970c2de383d6a6edf635865cbb7106568c32c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5A99.exe

Filesize
14KB

MD5
e8fe03716329e719eed0fdc091006d21

SHA1
aaa46a5d16c1d435b62d64f7ed459d1799f4d636

SHA256
46a8d4da860f62f64524ae80c01820931500fd7a594086adf9b8c1aef9c83db1

SHA512
b3c65eb0911ce851ffd035bdb0d0b5a6a3b1c37fd023eb35c3a01dd25e5d058bca094170c4202f7dd9a380beb29d38fb1d1d1366ba9bc31f9ac47847b11923de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA0A5.exe

Filesize
14KB

MD5
d81ac1cc7ca4f48546ccc0acaaa9f5ca

SHA1
292e19001c7803b7e171e744eb59b529944866ef

SHA256
dece931817f4e8ad0235e2cd5c2a4cb8dc7d37a8344f08e7e1009c5d677d661e

SHA512
d9a44e0201d5378a60caecee124281036603b622aeabc69e4ed257170b683ae9daa20246d168c59eff473519475bfe4398b219e41081c16dfd0aacd205556acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAAF1.exe

Filesize
14KB

MD5
05b73783bf3956002cc7efdf681dc19e

SHA1
f4daa139eb5b8d012672784edbca289ee20fd343

SHA256
aaf830d1b1dc835857d4b0928a7bc3f467085ae8ae30b48b2587c896f9ad9f97

SHA512
f7ac13a03908595017b35a76085743917c8930efb6306c2bbb22429ecb56e65ec2d2a56e171d7331e409d91767da31c45cd6c3f272d4931f09b082a3823c1615

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFB67.exe

Filesize
14KB

MD5
1e5156d6c27bed2cda4939a2749e2158

SHA1
f7e57e4d25856091e4a212ce9b83f36e7e8f8b21

SHA256
31b816102d19c610848778178a0b5de0b46662def0a582a572a515fde0cfd121

SHA512
51d9403561f8388f2c80c573b9b8a69268ad0c88924a5ad2b106816b695e19eb7e0cbe1268e10babdadbfe73c3b8ae7615281c50d92d132458a6af7499b6ff86

Download Submit

Analysis

Sharing