d140925335f9177fcdb76bf7bd384bead50dbfbb2076dbbe5fc80805d9160344

General

Target

166b72678d2258d03e8346edcca00db2.exe
Size

15KB
MD5

166b72678d2258d03e8346edcca00db2
SHA1

464b9dfa33bfe9bc0d5fbcb1d454d92d1635fc7e
SHA256

d140925335f9177fcdb76bf7bd384bead50dbfbb2076dbbe5fc80805d9160344
SHA512

309cca8f58a2c2fde0e29829172599e2c402a93a608e372d88f0deaae36020f45dd5fb9064b92a30e4e51bc3917455e3f1f2cc98a339a70e6d80bfc74dceaf04
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEvzO:hDXWipuE+K3/SSHgx4C

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	166b72678d2258d03e8346edcca00db2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEM48E0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEM9F2E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMF56C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEM4B6C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMA16B.exe

Executes dropped EXE 6 IoCs

pid	Process
4044	DEM48E0.exe
456	DEM9F2E.exe
1280	DEMF56C.exe
3604	DEM4B6C.exe
1092	DEMA16B.exe
2424	DEMF77A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4044	3932	166b72678d2258d03e8346edcca00db2.exe	90
PID 3932 wrote to memory of 4044	3932	166b72678d2258d03e8346edcca00db2.exe	90
PID 3932 wrote to memory of 4044	3932	166b72678d2258d03e8346edcca00db2.exe	90
PID 4044 wrote to memory of 456	4044	DEM48E0.exe	96
PID 4044 wrote to memory of 456	4044	DEM48E0.exe	96
PID 4044 wrote to memory of 456	4044	DEM48E0.exe	96
PID 456 wrote to memory of 1280	456	DEM9F2E.exe	97
PID 456 wrote to memory of 1280	456	DEM9F2E.exe	97
PID 456 wrote to memory of 1280	456	DEM9F2E.exe	97
PID 1280 wrote to memory of 3604	1280	DEMF56C.exe	100
PID 1280 wrote to memory of 3604	1280	DEMF56C.exe	100
PID 1280 wrote to memory of 3604	1280	DEMF56C.exe	100
PID 3604 wrote to memory of 1092	3604	DEM4B6C.exe	101
PID 3604 wrote to memory of 1092	3604	DEM4B6C.exe	101
PID 3604 wrote to memory of 1092	3604	DEM4B6C.exe	101
PID 1092 wrote to memory of 2424	1092	DEMA16B.exe	104
PID 1092 wrote to memory of 2424	1092	DEMA16B.exe	104
PID 1092 wrote to memory of 2424	1092	DEMA16B.exe	104

C:\Users\Admin\AppData\Local\Temp\166b72678d2258d03e8346edcca00db2.exe
"C:\Users\Admin\AppData\Local\Temp\166b72678d2258d03e8346edcca00db2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\DEM48E0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM48E0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\DEM9F2E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9F2E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\DEMF56C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF56C.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\DEM4B6C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4B6C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Users\Admin\AppData\Local\Temp\DEMA16B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA16B.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\DEMF77A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF77A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM48E0.exe

Filesize
15KB

MD5
ce742568403aaba7f52b0157ffb0a17e

SHA1
68bee6c7dcbff464b428924199d4d8b3b650fbb8

SHA256
5b42899283c735c86242873d86bbfdb9587e7f95480582fa28a862e0005df46a

SHA512
17948d69b98917e5acacf3362fb887c841fca3ea2a5fec356be40f0555618b0dd91f85c6ab5282b50cb7d4ae18b054d95370188ce0f6e6467ef3bc3db9ba7c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4B6C.exe

Filesize
15KB

MD5
4d8e986b4709a795fd5081774d74ac9d

SHA1
ac4ed9ae3077077d2de8554683f6d7c2bdff6eee

SHA256
bde93f9938a651d6f7cc48861bea8568bd8bf52a7d3247f0b9687f451526dbf7

SHA512
61e8102e4d90f21bc0eb186ea188855948625355b0b7ae89fef3eacb5f67006272fee15b6a02c5d7c23a87c8442eef018726d69cbc6429a0598e1ce5d1cd2062

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F2E.exe

Filesize
15KB

MD5
f65e8698992f8935fa92a329ede2c5ff

SHA1
ceeade60a87552977b96b7a8e33b2ae96641135e

SHA256
5bf901ec1446259175a6c6297b18b0bbb39395f5af9e8c4ce000c84030592abe

SHA512
32cdf71378bea0116f85024d086e785f77619e89b716e9e13c5a957ea47946aa9fb3b6605a9e1a387f1756b39951dfc0b520c11137450fa35fb7e725f08f4711

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA16B.exe

Filesize
15KB

MD5
078e0b0c9c556c805325cc13b762904d

SHA1
85813da10ca2816e479cc4367dab29470cd74d2a

SHA256
fcff390d475a643982a01186d38aa848c715e4c0d6511551ba45b5ae9af0555f

SHA512
1cc21192263b25d7f146362f283a0dcfd33c3cf1cdf5d4940a772733eb57f2c50d4c53d86d09930efa226f278d731200d71cd9d665656a0756d2542f17992758

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF56C.exe

Filesize
15KB

MD5
39e14116fe41a71be83d8f47612793a1

SHA1
6333690c0c25b81ddaaabc09b4712419ca56ddd1

SHA256
1064d12881d34ecbba4f6eb2e4606cd9b0ee8c45108e4d3e5687c1517c431d75

SHA512
8c7d4c1c901625a28f32751879fd476753a49377850fdfa5089d7470da410023fa78669a8a7bf0138af7d67302a547c23d2fdefc379a7bc8dc958918ebe57262

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF77A.exe

Filesize
15KB

MD5
57063e87226e5d3bcc6b26725290f7e1

SHA1
c0d74e3a65dca1a37dfc08d14cd892c5cd28c0e6

SHA256
9013eac1f547c6aaea38ab9b2c49475457e60fb3fac4df370659d41dbbe7e77f

SHA512
6f1b27362b6021584549fdf03e3ffe20a5c2fd98e533679d583503a12e908e35c8680aed36c921db378c2afbb5c3f59005dd243f72c8ea7dd6c869e1768e29a0

Download Submit

Analysis

Sharing