d633b41e8a8a70204709898f8f4c37a550ef847a96c2263f32f127d1905e85f3

General

Target

31848b6fbbdc84b05dce3bbf3816b87b.exe
Size

15KB
MD5

31848b6fbbdc84b05dce3bbf3816b87b
SHA1

887fe0a9ae994a51d2e2f095eb841783042e7b54
SHA256

d633b41e8a8a70204709898f8f4c37a550ef847a96c2263f32f127d1905e85f3
SHA512

31f8b800f87de8da3648e2ebab2cd422b1e05dad8f7d14fd994232d9e275d3ee7211c1dfa164bc702c62cc147b9c0a40ec9e46ecebf3718731d617c3c964f0a8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2FG:hDXWipuE+K3/SSHgxmKEFG

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	31848b6fbbdc84b05dce3bbf3816b87b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM65DE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMBEEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM170D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEM6F30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	DEMC668.exe

Executes dropped EXE 6 IoCs

pid	Process
2884	DEM65DE.exe
484	DEMBEEB.exe
4316	DEM170D.exe
4380	DEM6F30.exe
3380	DEMC668.exe
576	DEM1E6B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 2884	3080	31848b6fbbdc84b05dce3bbf3816b87b.exe	93
PID 3080 wrote to memory of 2884	3080	31848b6fbbdc84b05dce3bbf3816b87b.exe	93
PID 3080 wrote to memory of 2884	3080	31848b6fbbdc84b05dce3bbf3816b87b.exe	93
PID 2884 wrote to memory of 484	2884	DEM65DE.exe	98
PID 2884 wrote to memory of 484	2884	DEM65DE.exe	98
PID 2884 wrote to memory of 484	2884	DEM65DE.exe	98
PID 484 wrote to memory of 4316	484	DEMBEEB.exe	100
PID 484 wrote to memory of 4316	484	DEMBEEB.exe	100
PID 484 wrote to memory of 4316	484	DEMBEEB.exe	100
PID 4316 wrote to memory of 4380	4316	DEM170D.exe	102
PID 4316 wrote to memory of 4380	4316	DEM170D.exe	102
PID 4316 wrote to memory of 4380	4316	DEM170D.exe	102
PID 4380 wrote to memory of 3380	4380	DEM6F30.exe	104
PID 4380 wrote to memory of 3380	4380	DEM6F30.exe	104
PID 4380 wrote to memory of 3380	4380	DEM6F30.exe	104
PID 3380 wrote to memory of 576	3380	DEMC668.exe	106
PID 3380 wrote to memory of 576	3380	DEMC668.exe	106
PID 3380 wrote to memory of 576	3380	DEMC668.exe	106

C:\Users\Admin\AppData\Local\Temp\31848b6fbbdc84b05dce3bbf3816b87b.exe
"C:\Users\Admin\AppData\Local\Temp\31848b6fbbdc84b05dce3bbf3816b87b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\DEM65DE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM65DE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\DEMBEEB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBEEB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\DEM170D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM170D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\DEM6F30.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F30.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\DEMC668.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC668.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe"
        7⤵
        Executes dropped EXE
        
        PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM170D.exe

Filesize
15KB

MD5
70614d72784f52b5acf0afbebc4af111

SHA1
8cd8fcd6913de675721bed0a719fb3bcbfe6a63a

SHA256
bceeddb4346f935eee7d9dde05bb5ed2c1c362f4cb9e8354447ad74a634f9e84

SHA512
4b7ce4ec1317196c65b20511286c3d23c79781e30868176623486cbb2da04f2d8e3fd7baf18ba5b40dc40a2e2e069a3d40da68bd00e69fc2f13fc2979b0583c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe

Filesize
15KB

MD5
c0c2c0a527c41019a8e860cf38ca7eb0

SHA1
d2b7d6a5f2429f9cc1c8d6e1c3e97f83a6a116bb

SHA256
66865560395ed75a43c72cbdb15cdcf0596d1e0656b75d79eaa78ca7aad96a93

SHA512
4557f8206ed07cfabffa039c5a9c8db1259fce5cf6e633cdcc9fc27b8a5540b0ff31be316d742bb74979a68a60d01b03abd61389d7434abc1da6b21731ee0600

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM65DE.exe

Filesize
15KB

MD5
6b07283ffc1cd3b619d0a675efc2ba5a

SHA1
d3a88f08367bbee709effcf6d9cccda20fd0295c

SHA256
eb9ed83f923ca99d12cb7015913b0719ad91fd5b1b85d3a0437bae08aef34983

SHA512
c09ab080d03293ea05d4cdb5600b1017d0fe0d76d704d4e66ac780b6cdac089b2075b377ac9fe0cc1cc590156800941486fccad3aa07b763abe636a09eb68d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F30.exe

Filesize
15KB

MD5
1c3e66c24578dc142204384fe37bb4dd

SHA1
e9ff3920982a2394fc9021522954f920c540138b

SHA256
da26e63c8d55a66f546a5bf6291be1e802a2e3a17915fc93449dc3b3ae251c47

SHA512
bcb8ca012c9bc8d682511eca856ada14b1556ff2043f31aa3d83a78e3f64974f2cceb39eccc8ccb700a550ef40e95319699e14b355f7a16e3b864d261dc3f331

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBEEB.exe

Filesize
15KB

MD5
ac4248248c4398994fae23d6a2350ee5

SHA1
94560f12f9e3bef43fc965878d6e64fb9a835b93

SHA256
7bff9b9d5683cdfd82af5ae0b422b75370f210238561c786285a123843a7b822

SHA512
dd3dfc2ba033224293eee68cc55a26331225b83560e3f21919582b724f0ad6fe582854e0d9bf699e7098c9a48bbdcd18d4a78ee01b3704a767613a068358f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC668.exe

Filesize
15KB

MD5
4931db5583cd8b0a1a9e25d317167b2e

SHA1
22550870df1b8312629bb10193b2ae6a82e5ff71

SHA256
90c6219134358a829126406fb1f21d785c25b9d27ae1dc6ffc49fcc7473f49a0

SHA512
7e2c8aece3c8f6dab55a4ef5e18fac5763370d705bb2553adf86b1315e81ff8456f0b2d36ff768709bb048f4eeaa6f9095bc91e44cc00c9ebcc60c59af8096c1

Download Submit

Analysis

Sharing