0815497516142f116d0cc618375d767ccf47e9247ab9800612efaafd793b01bd

General

Target

1689ed10ec554f90c5b2372cb5af3391.exe
Size

14KB
MD5

1689ed10ec554f90c5b2372cb5af3391
SHA1

b99f5f1e727f1a6994653a1ac950576a172708a6
SHA256

0815497516142f116d0cc618375d767ccf47e9247ab9800612efaafd793b01bd
SHA512

bf76e1cceaad2dc4d26b653273d191a83554fdaebbe72bd5eacf47c23116d987c3a9fd2d973fdc4652d1f880b750b228d55243f12340fc5004f24398c12d72fa
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRl:hDXWipuE+K3/SSHgxx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEMB48B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM1037.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM6963.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEMC1A5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	DEM1A45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1689ed10ec554f90c5b2372cb5af3391.exe

Executes dropped EXE 6 IoCs

pid	Process
1036	DEMB48B.exe
1548	DEM1037.exe
2996	DEM6963.exe
2016	DEMC1A5.exe
872	DEM1A45.exe
2896	DEM7323.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1036	4852	1689ed10ec554f90c5b2372cb5af3391.exe	95
PID 4852 wrote to memory of 1036	4852	1689ed10ec554f90c5b2372cb5af3391.exe	95
PID 4852 wrote to memory of 1036	4852	1689ed10ec554f90c5b2372cb5af3391.exe	95
PID 1036 wrote to memory of 1548	1036	DEMB48B.exe	99
PID 1036 wrote to memory of 1548	1036	DEMB48B.exe	99
PID 1036 wrote to memory of 1548	1036	DEMB48B.exe	99
PID 1548 wrote to memory of 2996	1548	DEM1037.exe	103
PID 1548 wrote to memory of 2996	1548	DEM1037.exe	103
PID 1548 wrote to memory of 2996	1548	DEM1037.exe	103
PID 2996 wrote to memory of 2016	2996	DEM6963.exe	105
PID 2996 wrote to memory of 2016	2996	DEM6963.exe	105
PID 2996 wrote to memory of 2016	2996	DEM6963.exe	105
PID 2016 wrote to memory of 872	2016	DEMC1A5.exe	107
PID 2016 wrote to memory of 872	2016	DEMC1A5.exe	107
PID 2016 wrote to memory of 872	2016	DEMC1A5.exe	107
PID 872 wrote to memory of 2896	872	DEM1A45.exe	109
PID 872 wrote to memory of 2896	872	DEM1A45.exe	109
PID 872 wrote to memory of 2896	872	DEM1A45.exe	109

C:\Users\Admin\AppData\Local\Temp\1689ed10ec554f90c5b2372cb5af3391.exe
"C:\Users\Admin\AppData\Local\Temp\1689ed10ec554f90c5b2372cb5af3391.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\DEMB48B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB48B.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\DEM1037.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1037.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\DEM6963.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6963.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\DEMC1A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1A5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\DEM1A45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A45.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\DEM7323.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7323.exe"
        7⤵
        Executes dropped EXE
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1037.exe

Filesize
14KB

MD5
1fa79ef513f3800f851cf842d4e2700e

SHA1
cf98f19486f9960f4d46fedab17be1458e1f4d09

SHA256
0c2d571c8b5c22389264c8c9cb391eb6b440fc1b3f85680e21ea0721048265de

SHA512
3f0e1ce16e49173b6551a82fff0bd8028520a54e11bc73dad662f585eeeed5bd5b6f9db73d50c41c440f91cce8a75c237c862a1c8f6e934dd0062432579f6e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1A45.exe

Filesize
14KB

MD5
46c0838468d242826180371f23f15736

SHA1
08392c7af9dafc8ab2b69e8e88c8400a1a72d17a

SHA256
412a76420df60847f534f00c8181f0a258a8bd7588f98976bfbf82b307b99e1b

SHA512
dbecb7e51854f3a50f0a69d4f364c26b9619e3faac7bb5b5eda38739d0c3985e1acb12543ac325cebdbd1fa20f6d24d4e95274783d55da276e1ef722b9ece1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6963.exe

Filesize
14KB

MD5
c89ac1600ef2ee00aa8820b63b9ee7fd

SHA1
f5e21784480752740cec623eaeefbdf09297081b

SHA256
bfeac878c6d01a0bb100c1c226c0d01008da67b7f911511abd4984edc6b587d2

SHA512
3b72da9b7e54fa78aa5e6fc71afaf26b825f3b8ea119c2b09ab463e38ec10276bb7a7ca1373d088f7b32a0deba39bae222cb79556169579e7585f64bc129302d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7323.exe

Filesize
14KB

MD5
ecdc81b46c9e827342db4769bf2097c1

SHA1
b177ad87507c2082f8ab098fd8444dc8ce868972

SHA256
b8781e47804747bcfc92bcfd11adfbe39b5b4a528c0a9d86e31432230cb21a5f

SHA512
952a7fdef6269ecf92b6c658bd5627c1b22c0bf8c3641afd46972ff37b691dfaf2b1388d8a4ab92ffbd47f4231d6c9b351a7d871a31421f8d22f0587adb8b543

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB48B.exe

Filesize
14KB

MD5
3b589bd2e32a797604c20e9e365b3947

SHA1
e1b66d4cfc3fb4af5b98dec495f3249412ff8006

SHA256
59e9ee136b1633a36f707199a52e61107af0a89b4118bdfca44ccab094b5a51c

SHA512
0078f755a5365f7576a70a9e326bf65cbb1df91ea95b5f8963fee371badc0fec27ca01f7c39c190fbe34943b58767e1dc91e376d95575600092f08b9c7807e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1A5.exe

Filesize
14KB

MD5
61939f883076c66d00a6c4fb4e2fa8d6

SHA1
be8d5bfb50569e0521f2b19fe9a44e82ff399b3d

SHA256
7fe5521cb09f910a711a831b1ec54c5dc10f4c6cfecf6885b9a2aafeb7337c98

SHA512
ea3627e117ed2c34ab24e4c4c3105646a44f52cd5c4d670effcaed0e3918eecbdcc9531cee573cc7beedabf6a1ddabd7c9c8f0ba437d4b10a9ed39a723f7d321

Download Submit

Analysis

Sharing