7d06811e314b5b017f84ce9648f57ea26e8a72a92db0196e69ffca1721aeedf1

General

Target

12b0e2a45b7fec50f4dc0bf3850d0f41.exe
Size

15KB
MD5

12b0e2a45b7fec50f4dc0bf3850d0f41
SHA1

eab0b7fe50151885e16ef8f0b992758ace52670e
SHA256

7d06811e314b5b017f84ce9648f57ea26e8a72a92db0196e69ffca1721aeedf1
SHA512

a9d61a2ca69ed55c1393fa77e8840aa26435aaeb10207fd0d9019b777e8bab64f01cb17379b5d091ceb8d3f56930ddd6b3a243154d63e054842a5caf7571fdd0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEvjh:hDXWipuE+K3/SSHgx4d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	12b0e2a45b7fec50f4dc0bf3850d0f41.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEM544A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEMAAB7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEME5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEM5714.exe

Executes dropped EXE 5 IoCs

pid	Process
4204	DEM544A.exe
2268	DEMAAB7.exe
1284	DEME5.exe
3292	DEM5714.exe
1864	DEMAD52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4204	3104	12b0e2a45b7fec50f4dc0bf3850d0f41.exe	94
PID 3104 wrote to memory of 4204	3104	12b0e2a45b7fec50f4dc0bf3850d0f41.exe	94
PID 3104 wrote to memory of 4204	3104	12b0e2a45b7fec50f4dc0bf3850d0f41.exe	94
PID 4204 wrote to memory of 2268	4204	DEM544A.exe	99
PID 4204 wrote to memory of 2268	4204	DEM544A.exe	99
PID 4204 wrote to memory of 2268	4204	DEM544A.exe	99
PID 2268 wrote to memory of 1284	2268	DEMAAB7.exe	102
PID 2268 wrote to memory of 1284	2268	DEMAAB7.exe	102
PID 2268 wrote to memory of 1284	2268	DEMAAB7.exe	102
PID 1284 wrote to memory of 3292	1284	DEME5.exe	103
PID 1284 wrote to memory of 3292	1284	DEME5.exe	103
PID 1284 wrote to memory of 3292	1284	DEME5.exe	103
PID 3292 wrote to memory of 1864	3292	DEM5714.exe	105
PID 3292 wrote to memory of 1864	3292	DEM5714.exe	105
PID 3292 wrote to memory of 1864	3292	DEM5714.exe	105

C:\Users\Admin\AppData\Local\Temp\12b0e2a45b7fec50f4dc0bf3850d0f41.exe
"C:\Users\Admin\AppData\Local\Temp\12b0e2a45b7fec50f4dc0bf3850d0f41.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\DEM544A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM544A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\DEMAAB7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAAB7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\DEME5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\DEM5714.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5714.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\DEMAD52.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAD52.exe"
        6⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\DEM390.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM390.exe"
        7⤵
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM390.exe

Filesize
15KB

MD5
7897f188b8355a8c4c0afe68abfb8301

SHA1
ef3d84479dee0f45dff8a11a44bf22685d929c03

SHA256
781300e26f3f13e15ff33282e537c64185c28ffd3d2b79f5cee52be2f15560b1

SHA512
19e8e7bbb392a5859ffdf49b156519fce3054ab725cd8c22a0065ee093daa19c5e35504205f8f2d7a04955f3ebbc697390c52e774f374a2f7a07ac721d2c69de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM544A.exe

Filesize
15KB

MD5
ff549b8faf19ae2ffceef0c0f934c9a1

SHA1
5fc79d9ecbbcb81ed324117a8f8d2c955d8cd9c0

SHA256
394b4c8ae24c2ae0fc19d77aac28dfe276ad0d6bc5815ecac0d971549b99aeab

SHA512
34467b39ccb70679d8d0aff097cda1057b5a8d5d5f936da0e00075527304048e25e4c7ed9cdc40b256439553585304cd27ecab9f5f3d9f99cf1701245708595c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5714.exe

Filesize
15KB

MD5
25891e30d348b202fc5a5b6bc8fc7157

SHA1
65111544078d5cd05e41b56e73a92b46339bf9f3

SHA256
f22b6c412e21910dd7c9a6145b1b0f9565f5b9cab5f3599e07184a6d078fd1e8

SHA512
6808058ac42281f3100f81018886a09ef22e1f2337d5c5f580d40355b6abdb95cb708d566a4ebb3881a0a2421296a43aa35b52d88dd65773bd14466c839af21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAAB7.exe

Filesize
15KB

MD5
83b5ff4110de79ff6db335ece2a1b5ee

SHA1
18220b4e30097797b3fcaa3414111420bd7231f5

SHA256
63a221bc6f4cafdee25a43888daf87714fed57ae96d99e016cbc099335670293

SHA512
fa6ee770f6871b462603e95c67d00834abbee601bc54d3f7447045c9b4fe2d537c11e2881de9da5105889333758b529c9a63dcc0c86f6a902e6cfd66584820a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAD52.exe

Filesize
15KB

MD5
6c6b390e156f4b5d94d1cb813d4760db

SHA1
e13011f531a68043b5a54ccf1c9ca6bef8b56c42

SHA256
aa020e2051c73f5c982eebf7dbddda40cd57b8cea1b3f04ff3884dec31204635

SHA512
1b814808f9fd4e4c385443b3ed03b20979efe03eb0db14b655020329f64da57ceba409ae260e434055e21e30b7ee66a3aa0be4ecdb23c6df7bee57d5f7eeff04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME5.exe

Filesize
15KB

MD5
d0000fa0d5121b4877c5a1214b3f528c

SHA1
a610cb5d9e70138bacfa148f62b70403f0f45b98

SHA256
f438747806315a8feec1673e60a7b29039056dea77d2fa8d88d94015871a5bfa

SHA512
28b96b7d67a31734d8628677d1bea01b8e2d85b40abbff8be94dc7863fb8271f13b42e63abed5422f134b4a341e7be6163f5234fb55752d51f29638059c136c2

Download Submit

Analysis

Sharing