8b518398b8901cbba71f715ce9f75a46c4bc5758c8a1b8ea12edba0097765a20

General

Target

12ec658f1c1d2eda3193569c347ed14e.exe
Size

14KB
MD5

12ec658f1c1d2eda3193569c347ed14e
SHA1

4e88c743e93d8a4b3fb9dd86afad5c12593ba90a
SHA256

8b518398b8901cbba71f715ce9f75a46c4bc5758c8a1b8ea12edba0097765a20
SHA512

a266e6b6cb0b838e182eb4a1e34142788734b229fab4aeb4438be3ef70e610bfdc32e355a1d57b1ce52b27642434466434151edd08e895836df008bd13442bbc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRd:hDXWipuE+K3/SSHgxR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM491F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9FAB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4C56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA1B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	12ec658f1c1d2eda3193569c347ed14e.exe

Executes dropped EXE 6 IoCs

pid	Process
4504	DEM491F.exe
4052	DEM9FAB.exe
3804	DEMF656.exe
3972	DEM4C56.exe
2628	DEMA1B9.exe
2232	DEMF76B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4504	5012	12ec658f1c1d2eda3193569c347ed14e.exe	92
PID 5012 wrote to memory of 4504	5012	12ec658f1c1d2eda3193569c347ed14e.exe	92
PID 5012 wrote to memory of 4504	5012	12ec658f1c1d2eda3193569c347ed14e.exe	92
PID 4504 wrote to memory of 4052	4504	DEM491F.exe	99
PID 4504 wrote to memory of 4052	4504	DEM491F.exe	99
PID 4504 wrote to memory of 4052	4504	DEM491F.exe	99
PID 4052 wrote to memory of 3804	4052	DEM9FAB.exe	100
PID 4052 wrote to memory of 3804	4052	DEM9FAB.exe	100
PID 4052 wrote to memory of 3804	4052	DEM9FAB.exe	100
PID 3804 wrote to memory of 3972	3804	DEMF656.exe	102
PID 3804 wrote to memory of 3972	3804	DEMF656.exe	102
PID 3804 wrote to memory of 3972	3804	DEMF656.exe	102
PID 3972 wrote to memory of 2628	3972	DEM4C56.exe	104
PID 3972 wrote to memory of 2628	3972	DEM4C56.exe	104
PID 3972 wrote to memory of 2628	3972	DEM4C56.exe	104
PID 2628 wrote to memory of 2232	2628	DEMA1B9.exe	106
PID 2628 wrote to memory of 2232	2628	DEMA1B9.exe	106
PID 2628 wrote to memory of 2232	2628	DEMA1B9.exe	106

C:\Users\Admin\AppData\Local\Temp\12ec658f1c1d2eda3193569c347ed14e.exe
"C:\Users\Admin\AppData\Local\Temp\12ec658f1c1d2eda3193569c347ed14e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\DEM491F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM491F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\DEM9FAB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9FAB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\DEMF656.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF656.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\DEM4C56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4C56.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
      - C:\Users\Admin\AppData\Local\Temp\DEMA1B9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA1B9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\DEMF76B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF76B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM491F.exe

Filesize
14KB

MD5
1f48f23835fd5773b93420d2e5907329

SHA1
c8adde9f59cf7592082a3c8fe129e4714b60105c

SHA256
c4d1f0fd395d7412914d2b792b5d2c8b08e95be1261b6011e979c49bdfeaf02d

SHA512
f2307867a4803ea5a19cad7b5756bac06019d57de54e5ef4fdccb48aeba415a66d1c849d76b9e4a2ed18d105076d8828cd6816555e5c20882936c961946b4db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4C56.exe

Filesize
14KB

MD5
a1b207224dacbe55e1fa95983c27e50e

SHA1
12302a7c3e2e96ebc44b8fc5ff7a8ba8d4773906

SHA256
d7d1a0b328dd2c37b7c7052f0f6448febb2d33480df65fd8df5f43d46ee3e7b1

SHA512
5d2c775f24fd6f7e078217d854e6fab25e943917148ccc5c30eb6b46e15939bae2ae43783ae0a9f39ca6ff3b566bb94450a80c2e499f8dd669b9d2f6d5632883

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9FAB.exe

Filesize
14KB

MD5
f359e373a869f4a56e31f96efef6ab66

SHA1
a0b604d8c31ca68aca3f58c52e5f237b20ebba64

SHA256
117fbee20311d660ec0cf79a2fb41ac1d3781f157e525e92b6eea4488c2caa8a

SHA512
82644fe1c9c4dc7006f3c2d6c95342eaae509611ec72b2e4f17b1425dab78ae7d349aee0b08b172be0760f886e0e1685647d3ff8d6c2849c8c8a0f9f71314865

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA1B9.exe

Filesize
14KB

MD5
c2a6687efa3759cb5b896f0e82a8c00a

SHA1
1f80841f24975966e29ae0eaa94dca6589dff6b6

SHA256
914dc3b9d7a326fdefa22d1eff703ad72faf2c5f96a5a87c02468f894cf5c513

SHA512
02fa67049aadf91084b5000c53d1cef4dd6985e09415541149110800d4fdedfc27ca41d1bde58c8840034e999fe5daf9aabe10205ea7780e16b51c3a2957e53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF656.exe

Filesize
14KB

MD5
d9a53841699b88b24183d9afaa36531a

SHA1
82ad88325b57930078915c83e8d56f872a510064

SHA256
3b3f80362aa7893f03359df7369319d30cfa8f7f541da162a344ab9bdbe869ec

SHA512
57bfedece38b7a31150455198b20dacf94187757fe56d3fd26cffe738f9c9b1e6e7f5ea04f7c5fd0003bfac7341dedc3181aaa954c3a6c0537a3de240db293f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF76B.exe

Filesize
14KB

MD5
e56528784fe92d3c160485c4fa06e2ce

SHA1
cf4ae093f8089017967993a686aee6746f5f4501

SHA256
6ae90c1bc5ce21aabac6871a3c753493618fae679ada9b8a6af4f9eff420f7a8

SHA512
f91aea5db78a9aa89ef6d9509d2e8240cdcf682fd6d98205f0ca37bed5e358ccd9f5d4a9e20ad02dd50adce8a8288e9a33ca4bb8fa917e1f50bb1ac05c45fef3

Download Submit

Analysis

Sharing