6fbb7f3f3f5d601f16abe0f48d5b8cdf44520ea19f4082d04258c1ce7cbd2416

General

Target

30b92b83b2c41ff493932d8345c0fa96.exe
Size

15KB
MD5

30b92b83b2c41ff493932d8345c0fa96
SHA1

aae68ab8ee205a061f5ef0b2618607b992d24e50
SHA256

6fbb7f3f3f5d601f16abe0f48d5b8cdf44520ea19f4082d04258c1ce7cbd2416
SHA512

4962ddfcff4a37a01842dcf3df12cb3f1ab81a198ae1401b443fd05c47b2742a67440c5f88513f40d873a5d6995cd091c6a8f02dc9b8986ab31e54d79f9570ff
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4f:hDXWipuE+K3/SSHgxmO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMBCB8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM13B2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM6AFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMC2FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	30b92b83b2c41ff493932d8345c0fa96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM63DA.exe

Executes dropped EXE 6 IoCs

pid	Process
5092	DEM63DA.exe
656	DEMBCB8.exe
3624	DEM13B2.exe
1072	DEM6AFA.exe
2104	DEMC2FD.exe
2352	DEM1A64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 5092	2908	30b92b83b2c41ff493932d8345c0fa96.exe	93
PID 2908 wrote to memory of 5092	2908	30b92b83b2c41ff493932d8345c0fa96.exe	93
PID 2908 wrote to memory of 5092	2908	30b92b83b2c41ff493932d8345c0fa96.exe	93
PID 5092 wrote to memory of 656	5092	DEM63DA.exe	99
PID 5092 wrote to memory of 656	5092	DEM63DA.exe	99
PID 5092 wrote to memory of 656	5092	DEM63DA.exe	99
PID 656 wrote to memory of 3624	656	DEMBCB8.exe	101
PID 656 wrote to memory of 3624	656	DEMBCB8.exe	101
PID 656 wrote to memory of 3624	656	DEMBCB8.exe	101
PID 3624 wrote to memory of 1072	3624	DEM13B2.exe	103
PID 3624 wrote to memory of 1072	3624	DEM13B2.exe	103
PID 3624 wrote to memory of 1072	3624	DEM13B2.exe	103
PID 1072 wrote to memory of 2104	1072	DEM6AFA.exe	105
PID 1072 wrote to memory of 2104	1072	DEM6AFA.exe	105
PID 1072 wrote to memory of 2104	1072	DEM6AFA.exe	105
PID 2104 wrote to memory of 2352	2104	DEMC2FD.exe	107
PID 2104 wrote to memory of 2352	2104	DEMC2FD.exe	107
PID 2104 wrote to memory of 2352	2104	DEMC2FD.exe	107

C:\Users\Admin\AppData\Local\Temp\30b92b83b2c41ff493932d8345c0fa96.exe
"C:\Users\Admin\AppData\Local\Temp\30b92b83b2c41ff493932d8345c0fa96.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\DEM63DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM63DA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\DEMBCB8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBCB8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\DEM13B2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM13B2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\DEM6AFA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AFA.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Users\Admin\AppData\Local\Temp\DEMC2FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC2FD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\DEM1A64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A64.exe"
        7⤵
        Executes dropped EXE
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13B2.exe

Filesize
15KB

MD5
375de3d7e3093a4c39ef99997ff3a80f

SHA1
2da6a79deb5d79040772010d3bb29a52f0e78f01

SHA256
04ca9207cfa9e80beb742becd1ec7c94f0f6d0b61069457bcae5427d8c9077d0

SHA512
36edbf8d2a5d14eeeb49af386f1c319b33147bcc195e28f8036ceda46eba45eae79c60888019abe3971a618e70bf29af42b5754044a90fed34ef7c0abd4a6336

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1A64.exe

Filesize
15KB

MD5
03cf63c0e73415b507d362ff46b1697d

SHA1
5a7473a71247f2fc41be81e735a14327dad72b31

SHA256
c94eb58cc96a9a1b963b3373693600ccade655e889d90a0347c49aab6b7508de

SHA512
607db3890287e95afbc8ffaea4716b5ec3ceeaa5df7d10eb49d8bb51d05a247cc377c4d063746ad3d82dc90866fbfefb65e71749890fc46937a62be60332da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM63DA.exe

Filesize
15KB

MD5
2292b7453218846d8d02ccdc9a9d0f39

SHA1
7e793fd89aa5a4fd228bf194b06b825c253806d2

SHA256
e3596204e238763931ee96e1a2d7886c6a31839826d9e18bc4a841176cf830cc

SHA512
36b445b7c0f5b4eef05241cb2b0306272178a120f53efd804b6b22c977eb108cc0987b4bd975603246489ff2546d76bc4fe2199eeca29248ee134aed06cac7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6AFA.exe

Filesize
15KB

MD5
d055bc0f9d2f7b0c73be6b7cf9fc790d

SHA1
c2c95b047e5151ab7af747f06b78864f206e8bcf

SHA256
3ae9506f9f8298812d08fa2d6909510e5dd963320f1fd1a7b7374adb3e5bef2f

SHA512
3f5ee1fe6a8fece0bf7918d23a24afb4e1996cf6c1db29855cca5678410f5c1ef3866666d86406f5659ed456bb74da989a15d622744f44a61d7b30f8614070f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBCB8.exe

Filesize
15KB

MD5
4bd60f80c6d3117006d1c01536f94acc

SHA1
6b3561e8577864ebd9823e523b0bd9d831e46283

SHA256
ff18ed6cca5273174bd9021ed183a7a69dd27f9ac5f89d93dde55b2126a07930

SHA512
42830fe2517bc84ecd01caef858dbdde7c693b7b918841c6238e3a5309ff248b3b2bcee0dcc674478dee7f4b5995cd4aa2d148026a0049382ec7a92438f6af97

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC2FD.exe

Filesize
15KB

MD5
ea29bb7379a7e0dc43306d4277f4a3f6

SHA1
ea11a73db51879834f237be5f3c3485b7ae3c01d

SHA256
8a6eddfb3437525cda66b82b05f262ed7c8eea291222436689c443655a7c2cff

SHA512
41b8e35c3abacb7b119d79daab024355edc7b9d8e12cd9541d4f9ec130a23aba277aac17adcbcc63f6cc6669bb3e313225573bbde391293a8f527bb50488136e

Download Submit

Analysis

Sharing