a129ec1c3dec18557967b4e69fefb7d55a12a65ebac2b79b94dfb56f4d23a4d5

General

Target

17060da238ae60ba0abd4c79fab1a49a.exe
Size

14KB
MD5

17060da238ae60ba0abd4c79fab1a49a
SHA1

382576075e0f63b380385121843a504c69fa927e
SHA256

a129ec1c3dec18557967b4e69fefb7d55a12a65ebac2b79b94dfb56f4d23a4d5
SHA512

edb426e7782671c911e99a6c72462069717269be45cb5abf8ff7e0cc3260b772eb3d746e33ec38c1b71a84fb58313b4f9fe5541eb2732a36b690b62ef433366b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBP:hDXWipuE+K3/SSHgxlFBP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA4A7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	17060da238ae60ba0abd4c79fab1a49a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4BFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA2B8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF915.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4F25.exe

Executes dropped EXE 6 IoCs

pid	Process
3196	DEM4BFD.exe
2020	DEMA2B8.exe
1992	DEMF915.exe
4112	DEM4F25.exe
2424	DEMA4A7.exe
2680	DEMFAB7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 3196	1844	17060da238ae60ba0abd4c79fab1a49a.exe	95
PID 1844 wrote to memory of 3196	1844	17060da238ae60ba0abd4c79fab1a49a.exe	95
PID 1844 wrote to memory of 3196	1844	17060da238ae60ba0abd4c79fab1a49a.exe	95
PID 3196 wrote to memory of 2020	3196	DEM4BFD.exe	101
PID 3196 wrote to memory of 2020	3196	DEM4BFD.exe	101
PID 3196 wrote to memory of 2020	3196	DEM4BFD.exe	101
PID 2020 wrote to memory of 1992	2020	DEMA2B8.exe	103
PID 2020 wrote to memory of 1992	2020	DEMA2B8.exe	103
PID 2020 wrote to memory of 1992	2020	DEMA2B8.exe	103
PID 1992 wrote to memory of 4112	1992	DEMF915.exe	105
PID 1992 wrote to memory of 4112	1992	DEMF915.exe	105
PID 1992 wrote to memory of 4112	1992	DEMF915.exe	105
PID 4112 wrote to memory of 2424	4112	DEM4F25.exe	106
PID 4112 wrote to memory of 2424	4112	DEM4F25.exe	106
PID 4112 wrote to memory of 2424	4112	DEM4F25.exe	106
PID 2424 wrote to memory of 2680	2424	DEMA4A7.exe	108
PID 2424 wrote to memory of 2680	2424	DEMA4A7.exe	108
PID 2424 wrote to memory of 2680	2424	DEMA4A7.exe	108

C:\Users\Admin\AppData\Local\Temp\17060da238ae60ba0abd4c79fab1a49a.exe
"C:\Users\Admin\AppData\Local\Temp\17060da238ae60ba0abd4c79fab1a49a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\DEMA2B8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA2B8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\DEMF915.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF915.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\DEM4F25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4F25.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\DEMA4A7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4A7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\DEMFAB7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFAB7.exe"
        7⤵
        Executes dropped EXE
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe

Filesize
14KB

MD5
4298da8b1d86d91aee39014a5243d393

SHA1
8782cbe2b8938d344500f343999b3f03ddb26dbe

SHA256
8045d90376a26a57c1e3da0223668b487a3805753229dea1c49e90acd94901eb

SHA512
f9e3b74c65facf22b4d5434ec59c7cc7559d298a54237b49b76ac050a5e67368a0ae47bf8d03a1936384f3019f17888caa96f7b4e8d286fa8ed8e06bbb813142

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4F25.exe

Filesize
14KB

MD5
0d614c33000184d724cd80264d8938bb

SHA1
7aa64c798abc4bcba6820f9e63cb070c9f0c00bc

SHA256
77579c3dec4a3848bae0b4133578103127e19baf33fa8c71460af4e49f47db8e

SHA512
da2ad0f7b3e0013f9fb56bb601ab8baf21559debb8166d85274c469bccd1993f1944d8f7b2a567f5a544ed90a418e9b79ebd5c31456806a9a4b20c2872f4767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA2B8.exe

Filesize
14KB

MD5
29b9052fbf9b82cc43cd4051bfc27be6

SHA1
8bd70d47fd4e6fa2abe7a2f4f47027b2e4e5e9d8

SHA256
1599eb9f92ef54b294fb57cfe809eff1a7618333743d3c1ebc9ef4dc519cdd35

SHA512
c39b5b0d2f6eeb2177c975704bffba0b0d39e17913e4c382b7c1cff720675191457320288a97a8f2ff99abd0cdcd79a2b0f617ff98767ee5bcd0b628b055249d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA4A7.exe

Filesize
14KB

MD5
760c4a044d9faab6a2a967bb7371ea4c

SHA1
7d61c74e2e014fcb20fd0d585aa7dc7f0847580c

SHA256
abeae67cbb6770099da28f8387e19d0e3848aed7ebda72126df668b55570c304

SHA512
3fa065c72646f57318851623ea30cf4e5b2772319b1e811ed8422f7f63ac86b4c743c1c0125ae24a95cedcdc5663bcbdfd2d2d8c5032e63c47885f0b5e34ae55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF915.exe

Filesize
14KB

MD5
dc636608518c296ae85d3bd0e4e05566

SHA1
8052e1984752b279f8a310028a1ca35ff6695e79

SHA256
380543338649fd9dd1f7f0d9a81eafdd082a6f5fefd678fa6edb984f5ebc0c62

SHA512
25df52677833e3ef3654b4b016304b0109b711e04e6bf695d1220b34be4e75232dd9a0212130b05c63c315019db588ddeb7b94bb70617cd46ff402bc092d917b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFAB7.exe

Filesize
14KB

MD5
f7c7b11cb429b3bb1cfb8499c8794bf2

SHA1
16072bc5f0ba62b31ee4a0c060293c741c8e1cbf

SHA256
1ef53fd80172d1feb889960600a3246e872e57ce2fd0eafd5e10828ddcd22006

SHA512
26366007dd3a536ca7e2165737d27f553c8e36d2a3ae44a3d7bd76cfb1d5ceacd2418c043dcb41e9dc110ca5f11eab51f428fda33ae0408ebfecdcade0131e44

Download Submit

Analysis

Sharing