53b56d451bd4227404608959e778b0dc93476437015dcc6371fa978eaf868236

General

Target

2fc42c2a42b8889b0a63d6efb506f562.exe
Size

15KB
MD5

2fc42c2a42b8889b0a63d6efb506f562
SHA1

3eb0ee67d7023ccf16a0dc360dec279be8dd5fed
SHA256

53b56d451bd4227404608959e778b0dc93476437015dcc6371fa978eaf868236
SHA512

283f82d2e1742ba02809fdf5626c489a421b47cb4d8b292e0e43d535f2b5e5c7ac245c891cf0dc323b657b09c1b93d39a14921cebb5a5d2f2dc4547a303a9358
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnb:hDXWipuE+K3/SSHgx/b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM9EAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	2fc42c2a42b8889b0a63d6efb506f562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM4611.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM9C8E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEMF25F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	DEM486E.exe

Executes dropped EXE 6 IoCs

pid	Process
3524	DEM4611.exe
2972	DEM9C8E.exe
788	DEMF25F.exe
2768	DEM486E.exe
1844	DEM9EAC.exe
3440	DEMF4EA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3524	3768	2fc42c2a42b8889b0a63d6efb506f562.exe	94
PID 3768 wrote to memory of 3524	3768	2fc42c2a42b8889b0a63d6efb506f562.exe	94
PID 3768 wrote to memory of 3524	3768	2fc42c2a42b8889b0a63d6efb506f562.exe	94
PID 3524 wrote to memory of 2972	3524	DEM4611.exe	100
PID 3524 wrote to memory of 2972	3524	DEM4611.exe	100
PID 3524 wrote to memory of 2972	3524	DEM4611.exe	100
PID 2972 wrote to memory of 788	2972	DEM9C8E.exe	103
PID 2972 wrote to memory of 788	2972	DEM9C8E.exe	103
PID 2972 wrote to memory of 788	2972	DEM9C8E.exe	103
PID 788 wrote to memory of 2768	788	DEMF25F.exe	104
PID 788 wrote to memory of 2768	788	DEMF25F.exe	104
PID 788 wrote to memory of 2768	788	DEMF25F.exe	104
PID 2768 wrote to memory of 1844	2768	DEM486E.exe	110
PID 2768 wrote to memory of 1844	2768	DEM486E.exe	110
PID 2768 wrote to memory of 1844	2768	DEM486E.exe	110
PID 1844 wrote to memory of 3440	1844	DEM9EAC.exe	112
PID 1844 wrote to memory of 3440	1844	DEM9EAC.exe	112
PID 1844 wrote to memory of 3440	1844	DEM9EAC.exe	112

C:\Users\Admin\AppData\Local\Temp\2fc42c2a42b8889b0a63d6efb506f562.exe
"C:\Users\Admin\AppData\Local\Temp\2fc42c2a42b8889b0a63d6efb506f562.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\DEM4611.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4611.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\DEMF25F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF25F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\DEM486E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM486E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\DEM9EAC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9EAC.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\DEMF4EA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF4EA.exe"
        7⤵
        Executes dropped EXE
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4611.exe

Filesize
15KB

MD5
d459fce4deb5cef70ead9cdf33376715

SHA1
31bb6ab4617e94ddc5124d7d8b1eccc9d68660dc

SHA256
e0f2c4a430f32b97f12f06322c56e0cf18a7393781826d42776e3951995aac48

SHA512
a3000f8c385045fd341ea3eeebb3bf4be72e97a83703332296bff41b239cb8ccd3c4584375cb20a3bf5ca95afb57c726ff6e2c432a813a0bf5a49386d174f5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM486E.exe

Filesize
15KB

MD5
2217203a1d23f2ac7d427fa532cbeb79

SHA1
de091f9900d615912a24f1fe2fdfc99243846874

SHA256
b11dc0f2f9c8cd417325d635dd4f52e6512288e0c57801ad484094ba053eae4c

SHA512
dc94f21c49cb47b7c1ebebe926516dd9aab2704400be55fa0ffe62e2685e5cddc8764468c7db57714d3659f29711525b76d134359bf717f94b7f9228ff34e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C8E.exe

Filesize
15KB

MD5
6fa7347bc33d05029813a2980d7ef335

SHA1
1194c0f84a1f4908240872e72c4d317f6c23cbc0

SHA256
65107b6487307669d9e8c7d37406eb516768ec2f6f1379a66f890a475314113b

SHA512
cb1ea1cb2f3f72f448a5cc5804f413a494cce90684abec28c48824fb41821c57251feff006b0417eeabac6573ce29579becef672e8cb068b23c246537552a9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9EAC.exe

Filesize
15KB

MD5
f6c8327a01880988aee8a392ee4fa383

SHA1
268d612b6488c6ccbd16439def2ba5b2451e6804

SHA256
8452a2b2220a68545e08e5607686b376e4bb4c927df0ec26faefd2426fb92bad

SHA512
7352df14ab3cd65de9e70a5b6054c99cdefdd35b4d29f8fa3cca37a7bc7dcac6cf2decfb200dc9bf53dec3bf72d0bc554ce5e72174cbff4451d5846d3cd01f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF25F.exe

Filesize
15KB

MD5
dc2936418ce97703b3a6645b393f3bb8

SHA1
e728e6d864b9c1bb140a313a2ce70d17b229a9c1

SHA256
5bd392b477eb582ea1377f191512cfeaaacd4371f48531b06910c194362f431a

SHA512
cf91bbab1ae2824d71535417b872c16ee8931c093473c7622160e5f7748b7c890848e552beaac9fa056b71ce22c4e3c7253ede8748a120a1d887485132cb4ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4EA.exe

Filesize
15KB

MD5
8099bd4d82471d87d9827ae2985a3ad4

SHA1
1ac4fb6d39644fc0dbba21cf01548a3a37eaae5f

SHA256
6e091c5fc08aa9794e4d501d6170e17cfacb0fb5da03fa6ede1d18efe56da7db

SHA512
0dcd8d7f96869bc67b349fcd7826596006ad9c8a220855141767f69d1b235f17c39b3cf4108d669b458762bb651ac90c8dbbbb04be9047ca3a81c7eb2788ee4e

Download Submit

Analysis

Sharing