2c4ba44d52a53e4d92870785dbf7af5acb3a75eba577186a2fd53c2a3d295708

General

Target

21b7eaf0e158a7fc7bae28673213c543.exe
Size

15KB
MD5

21b7eaf0e158a7fc7bae28673213c543
SHA1

f4fd3ab5c763c2fd72dcc4b89c2672dc157d2482
SHA256

2c4ba44d52a53e4d92870785dbf7af5acb3a75eba577186a2fd53c2a3d295708
SHA512

1b3eada18f21206a150e0e76282099ee519d2466baa3627e9daa4df3800ec00b63ad6ca1053f55cd67b79a308ed74f63290b6d1d95e7bccfddd75f6c9d1ae0a6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxXE:hDXWipuE+K3/SSHgxmHtE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	21b7eaf0e158a7fc7bae28673213c543.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM47D6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM9E72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEMF482.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM49D5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEMA004.exe

Executes dropped EXE 6 IoCs

pid	Process
464	DEM47D6.exe
4000	DEM9E72.exe
368	DEMF482.exe
4540	DEM49D5.exe
4080	DEMA004.exe
5108	DEMF671.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 464	2672	21b7eaf0e158a7fc7bae28673213c543.exe	94
PID 2672 wrote to memory of 464	2672	21b7eaf0e158a7fc7bae28673213c543.exe	94
PID 2672 wrote to memory of 464	2672	21b7eaf0e158a7fc7bae28673213c543.exe	94
PID 464 wrote to memory of 4000	464	DEM47D6.exe	99
PID 464 wrote to memory of 4000	464	DEM47D6.exe	99
PID 464 wrote to memory of 4000	464	DEM47D6.exe	99
PID 4000 wrote to memory of 368	4000	DEM9E72.exe	101
PID 4000 wrote to memory of 368	4000	DEM9E72.exe	101
PID 4000 wrote to memory of 368	4000	DEM9E72.exe	101
PID 368 wrote to memory of 4540	368	DEMF482.exe	104
PID 368 wrote to memory of 4540	368	DEMF482.exe	104
PID 368 wrote to memory of 4540	368	DEMF482.exe	104
PID 4540 wrote to memory of 4080	4540	DEM49D5.exe	106
PID 4540 wrote to memory of 4080	4540	DEM49D5.exe	106
PID 4540 wrote to memory of 4080	4540	DEM49D5.exe	106
PID 4080 wrote to memory of 5108	4080	DEMA004.exe	108
PID 4080 wrote to memory of 5108	4080	DEMA004.exe	108
PID 4080 wrote to memory of 5108	4080	DEMA004.exe	108

C:\Users\Admin\AppData\Local\Temp\21b7eaf0e158a7fc7bae28673213c543.exe
"C:\Users\Admin\AppData\Local\Temp\21b7eaf0e158a7fc7bae28673213c543.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\DEM47D6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM47D6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\DEM9E72.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9E72.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\DEMF482.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF482.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\Users\Admin\AppData\Local\Temp\DEM49D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM49D5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\DEMA004.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA004.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\DEMF671.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF671.exe"
        7⤵
        Executes dropped EXE
        
        PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47D6.exe

Filesize
15KB

MD5
019bf5dceaf69eb4df5bf75c12733b2a

SHA1
cfdb3f6f00cf3ae0ae0bfffee98ef7093c9c856e

SHA256
15c18f7f843f4579527d30a1f375fb0118e8bf203807d0894cfe5c1ff5bfd30a

SHA512
3dc48b921fceacdf353e49f25875c886b257e73f35146919e9f88caedb0c1dc9fa86f859dea19211a46da0716d61d180ec57022739cd78906f2fafac4a9aa63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM49D5.exe

Filesize
16KB

MD5
0f0eedf858c6da01bfa68ee0f4b3d866

SHA1
1d08cc6a57bd73625f42adba6ea7c48b28ffa7fa

SHA256
c453e71aac8b2f91870a4df78e9e1cd4b4e43e989b086e180d2f464c7229eccb

SHA512
c2d027f96fd4db9664f856f6019da3c43c52634e8dea2a489bac2290a27e7e91bdb061b28f7403454b479af5dd35064fe739b62166be2e764ed20b1bccad1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E72.exe

Filesize
15KB

MD5
b6c40f87e022282726357d381d8c11ae

SHA1
57ae81a31669c5b90d5228041bf51360e0b30906

SHA256
8fb475bac9459e5530639f9ef5f9744cf4f6d5c12adbeeed47f2dd38f99d9f29

SHA512
232527407328ab84269c338e6e6a6f9a205b6842304ae39e29914a0d6963aad30e75af3a7c3944e0aaf61c043d5d624b57d8e36be9470248f9bb7c38cedb03c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA004.exe

Filesize
16KB

MD5
d24d85795d963146c4a3cd3461cd740a

SHA1
8afcfc2bb107f0f461bcafaad54e3d8223475540

SHA256
d7a6426c9448351605eb1a7a9adae432aded6a6319122bc9ec2201dd623a3d84

SHA512
5177ae974f897c7c9764879fc939ef5d5900a450f6fc1c8f42b2d968d7a160b734dfc80cfb6348226d1f95e8b5a44c8d7f3c274cdb99f320f82dd89bd2efc0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF482.exe

Filesize
15KB

MD5
7755ceeb46d7271ec5d807466e6da8d4

SHA1
bc066486e1fdef3e67f5ee9122637c8742e6b244

SHA256
c25fb7211b12e5f0f43f02c1dc14f66fdad790123315cab25a82bc99bbdc7259

SHA512
ef6fdf176aa4502c3bb3cf26fcfcbb66307ca8ff27965912de67f39995dffec15c2ae78fc2ca7d0149c933c952b23ef6dffb3c0d8623c0318c3c4d730f8a1fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF671.exe

Filesize
16KB

MD5
e4d8ef4e116cfa09b472718a177bfd82

SHA1
076a549a0d7d517307f3f98695ccc63c991a641c

SHA256
e9b8e9040bb5025972831d3fd98d92635cf121134d12f8c2d093676714115fb3

SHA512
2ab6426e4d1af42ffdb761fbd01edd6b3f1714c6b5630ce4d1e4db0377baad1c363cff8214107f905137c3fbe2b4312e9e5d9d6afbb08d695cf3e2aca7624ee0

Download Submit

Analysis

Sharing