3cbde2fb38eb6a3c9cd8be61fe12423621df2dc2dd1986634c6d61fbefeaf34e

General

Target

297b702bc69fcf8e83041403c4d70afb.exe
Size

14KB
MD5

297b702bc69fcf8e83041403c4d70afb
SHA1

226ae12b73d9bb5bf1cfdb79d46b60cc1461d1f1
SHA256

3cbde2fb38eb6a3c9cd8be61fe12423621df2dc2dd1986634c6d61fbefeaf34e
SHA512

2ea61e30b2e5f4c24ecde51e4ed02ef5d545840968e4c6a71f27b78ee4a6f38e7d9c7cece50a4ac822c4ebc90dd03d25cdadcdc69301d4f31251d4e08171c5e8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlu3W:hDXWipuE+K3/SSHgxmlu3W

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	297b702bc69fcf8e83041403c4d70afb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM7B6A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEMD419.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM2B60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEM825A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	DEMD954.exe

Executes dropped EXE 6 IoCs

pid	Process
2820	DEM7B6A.exe
448	DEMD419.exe
4724	DEM2B60.exe
2700	DEM825A.exe
2444	DEMD954.exe
4016	DEM30CA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2820	3508	297b702bc69fcf8e83041403c4d70afb.exe	93
PID 3508 wrote to memory of 2820	3508	297b702bc69fcf8e83041403c4d70afb.exe	93
PID 3508 wrote to memory of 2820	3508	297b702bc69fcf8e83041403c4d70afb.exe	93
PID 2820 wrote to memory of 448	2820	DEM7B6A.exe	98
PID 2820 wrote to memory of 448	2820	DEM7B6A.exe	98
PID 2820 wrote to memory of 448	2820	DEM7B6A.exe	98
PID 448 wrote to memory of 4724	448	DEMD419.exe	99
PID 448 wrote to memory of 4724	448	DEMD419.exe	99
PID 448 wrote to memory of 4724	448	DEMD419.exe	99
PID 4724 wrote to memory of 2700	4724	DEM2B60.exe	102
PID 4724 wrote to memory of 2700	4724	DEM2B60.exe	102
PID 4724 wrote to memory of 2700	4724	DEM2B60.exe	102
PID 2700 wrote to memory of 2444	2700	DEM825A.exe	103
PID 2700 wrote to memory of 2444	2700	DEM825A.exe	103
PID 2700 wrote to memory of 2444	2700	DEM825A.exe	103
PID 2444 wrote to memory of 4016	2444	DEMD954.exe	106
PID 2444 wrote to memory of 4016	2444	DEMD954.exe	106
PID 2444 wrote to memory of 4016	2444	DEMD954.exe	106

C:\Users\Admin\AppData\Local\Temp\297b702bc69fcf8e83041403c4d70afb.exe
"C:\Users\Admin\AppData\Local\Temp\297b702bc69fcf8e83041403c4d70afb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\DEM7B6A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B6A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\DEMD419.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD419.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\DEM2B60.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2B60.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\DEM825A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM825A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Users\Admin\AppData\Local\Temp\DEMD954.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD954.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\DEM30CA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30CA.exe"
        7⤵
        Executes dropped EXE
        
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2B60.exe

Filesize
14KB

MD5
839933f042233bf47c717f2aac472304

SHA1
c401f89cc919fb2ab7866f269a943443b4bc3780

SHA256
5ad09ab055530cfce76b1420fb2aa446b5a84acaaf134128c324af6115d09d88

SHA512
d0156d41965cf107551f8df35d035b47e4618dd540c1e6a2744b86f3e7e2226ecd036f2424fadfb5e925763aa6036e30a052cbb6de8c2438a2f26f27ea3bd5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM30CA.exe

Filesize
14KB

MD5
8f826b6cde701adfd4112a878f566b00

SHA1
4926597c33e691213e9791ddf7b56fb4ff359e0e

SHA256
7aa2ccb2968d372290ea9a2350a4498de7b50b93d05f6b44385d614660ea310b

SHA512
017228b4fcd1d6508c14835fa3d650620ab7acb41fd60fb89c7e1e3dcaeebb962181c0976593c877ac55f34be66c153b61187da08578104fb78d98325bb38ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B6A.exe

Filesize
14KB

MD5
c9f5599b00c2c87f0c9d2679e5197e30

SHA1
73bce149a4aff4591b84e49e879d7ab55748ebed

SHA256
e83b65c0ad490b2ffd4c0bd0a49e291b3e65bb1818b4fb477afe8956801e76e0

SHA512
826d6499178323560282cc94bc60f772392668ac19b5b5a238f9770a25bf62fd2cc56ef56e0c766c8d1752a6a7b492159332c1269df4f148415cdb19bce0df21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM825A.exe

Filesize
14KB

MD5
89662e5f98b5f29ce18ae5931c186185

SHA1
ee5730561a2e13165d5695abba634d83863752b4

SHA256
0532e28b1e8aa3fda6bd3bd5d05bc14bfb7b4f8e1814d13b419968972e901cef

SHA512
d3a700a893079d16ccb8077164c1384b034b793bd039e1410fa524c2d991dc92575094d67c8217d34bc448e1eae7c9cf0138a3cdbf824b05f107077bbf770094

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD419.exe

Filesize
14KB

MD5
78ab63c3fc7a9bee1d684c1bb0375fe4

SHA1
706797cf94bff4ede7c089532f52ed9afd9f2f52

SHA256
90a4cb3ca7f3b78d3bf74b45ac36458f547353e91c929230ac20f4ce6d6a112f

SHA512
76fa330cf1baaf75374996c2df7184644fa8001762721fa2580a5f88db4358561159427402df42729b1fabeac5a5270e12a54bbe903d8e1ac18d0dac084971ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD954.exe

Filesize
14KB

MD5
3aa6de97cdb51aa763824158e3511109

SHA1
2fe68a1da4895b06c624ac9bf4a1f8ec216d1bc6

SHA256
98bbc1d1de67e139d4a7b6dcefd1667cd4249e04d693e68176b3d4e4f3041ba7

SHA512
40ff50a5ce4a79f75dba09613f2dea9385b0300644aebe8bd1754a1ea2fb0451d77152e5f52d0d038f37e42f690b784697eb582a26a9a2705cd09009f6cea93f

Download Submit

Analysis

Sharing