e9d6d940ea9eb9d44accbecc9de6b28bf71fb1583b72f1627987c76c50186475

General

Target

1270129e048044cc8559fe9a415ef3d6.exe
Size

14KB
MD5

1270129e048044cc8559fe9a415ef3d6
SHA1

f778d1454743f681de39a8117f2c2fc17b140731
SHA256

e9d6d940ea9eb9d44accbecc9de6b28bf71fb1583b72f1627987c76c50186475
SHA512

e3eaa0de8e4453da3684888b392fd3fc90460d80f7d5b52b1cc8b1e4c1042d6aa61e6910cbbfd9c935902d97bd7cd97944999026298e4e8667692e24944356ae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cz2:hDXWipuE+K3/SSHgx72

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	1270129e048044cc8559fe9a415ef3d6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEM5340.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMA921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMFF20.exe

Executes dropped EXE 4 IoCs

pid	Process
3508	DEM5340.exe
2028	DEMA921.exe
2220	DEMFF20.exe
4688	DEM553F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 3508	1072	1270129e048044cc8559fe9a415ef3d6.exe	95
PID 1072 wrote to memory of 3508	1072	1270129e048044cc8559fe9a415ef3d6.exe	95
PID 1072 wrote to memory of 3508	1072	1270129e048044cc8559fe9a415ef3d6.exe	95
PID 3508 wrote to memory of 2028	3508	DEM5340.exe	99
PID 3508 wrote to memory of 2028	3508	DEM5340.exe	99
PID 3508 wrote to memory of 2028	3508	DEM5340.exe	99
PID 2028 wrote to memory of 2220	2028	DEMA921.exe	101
PID 2028 wrote to memory of 2220	2028	DEMA921.exe	101
PID 2028 wrote to memory of 2220	2028	DEMA921.exe	101
PID 2220 wrote to memory of 4688	2220	DEMFF20.exe	103
PID 2220 wrote to memory of 4688	2220	DEMFF20.exe	103
PID 2220 wrote to memory of 4688	2220	DEMFF20.exe	103

C:\Users\Admin\AppData\Local\Temp\1270129e048044cc8559fe9a415ef3d6.exe
"C:\Users\Admin\AppData\Local\Temp\1270129e048044cc8559fe9a415ef3d6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\DEM5340.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5340.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\DEMA921.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA921.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\DEMFF20.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFF20.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\DEM553F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM553F.exe"
        5⤵
        Executes dropped EXE
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe"
        6⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\DEM54.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM54.exe"
        7⤵
        
        PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5340.exe

Filesize
14KB

MD5
3f0b648f51291814aa82eb2bce7a3c3e

SHA1
a0507b8d2e6e4270a280c087235bb3b909ecf2c5

SHA256
181f07f055e64c122d1bd5b273301d44d20bad6bcc57224d0d61bd04e06fdd1b

SHA512
701a22e22fe5797776607cd6f52e967815cdf2d4b12a90e73797c3742ad0b230cf608c4f9adaac847af2b64b7c700a1712720084677d37fba3730a9898d61d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM54.exe

Filesize
14KB

MD5
95444edf05b77bfa82c84bb9564022e6

SHA1
2f9f108c9fb9a27442f2c26646f88e5a88594adb

SHA256
52e5ef977027698e1846db16dcfd647b84cb58adfa948bce9d992e286d556914

SHA512
6ba853dcea82f9ea27480c2b507fb4ff560ef7ddcc5798454f5e546092a2ffc0ea956453bf8871ad324d0d3aaba44184f9393eecd956acae9cbfadad357574e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM553F.exe

Filesize
14KB

MD5
70de0b2e5a7c138fc11d953e3783ccf2

SHA1
6f0f442a87d859970b656961906cfe892e3984cc

SHA256
3c0362a3919ff21848bcb681e900712598f42e1791d250faf2baa9eb99a955b9

SHA512
f19a1517512051ea3f20392bf93a2e323b2a26570b814283d634f0cda14c466c5febf2514d244575fe515c29c647c5b61af096f9e30092fe42c0d04d3c0d1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA921.exe

Filesize
14KB

MD5
6f781c6d29040c4214e89de93cc6a990

SHA1
49ef6a24791b7386424c6e2da954706f39e96cd9

SHA256
92fb222e615618055a42414747d1594b0580f38ce7e00dc70c35d8f8b278538f

SHA512
c74a0fb256376c49321d5ebeac062a6b0b3d741f702a22e679ff037b35d42e12a79b779e23c5828234102dcb64250c4bef26aa4f8da509bbd5328fd1dc46ac2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe

Filesize
14KB

MD5
174c1807c7b5dd3dcea7194dc3221fc1

SHA1
e476a6eb31cfcd961dfdf46f155bed796cf4c715

SHA256
310c7f9780f6d505d9f60fce9cfbe0ee7937cf7ff080ef2c639de4755d65087d

SHA512
78834bbec285b120a2997e2954be81bf09317cefabbe0baf3cfe34e90f2f59e13110cff1d1cebf90becc54a80595618deb82efa244bd8cacb867d5b39d980dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFF20.exe

Filesize
14KB

MD5
58031b96b9d279065dabef2ebc43fe85

SHA1
034ea5b481624c3e3c69d62f5c7f4c4f1b1bc1b2

SHA256
7df8badb20dd4f4b8ec2dc59985fd561ad80660df42ebb5531b715de15bba364

SHA512
c6b571a3fff7fa123e77aaa6dac09f52a18af01cad8c2e09dc47ac3daaf955d0c8db01ef5e5da6fd8462f3d69d3b02882e95b07e4b9c94b12e1999796c25e5bb

Download Submit

Analysis

Sharing