93c3eb8620ece56923ae673a31bafa9902378ccf4707d6b7b5614db9e20c6b75

General

Target

349e04ad896487be6d1987e66a0fa64b.exe
Size

16KB
MD5

349e04ad896487be6d1987e66a0fa64b
SHA1

17dad555f1359bff87a4ef49beedc9ec323b33dd
SHA256

93c3eb8620ece56923ae673a31bafa9902378ccf4707d6b7b5614db9e20c6b75
SHA512

53b305006dd713c88b132f5ad8e7e4f2fa1435b7fc4bc2cef4d241aa6060c2c69a0565865d2a4b18d6b2232c6613ace929351a49a7f420c285f810718530b548
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlu3h4:hDXWipuE+K3/SSHgxmlu3h4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEM51B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMA803.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	349e04ad896487be6d1987e66a0fa64b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEM4F39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMA5A6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	DEMFBC5.exe

Executes dropped EXE 6 IoCs

pid	Process
4456	DEM4F39.exe
1628	DEMA5A6.exe
4856	DEMFBC5.exe
3212	DEM51B5.exe
2508	DEMA803.exe
4672	DEMFE31.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4456	2000	349e04ad896487be6d1987e66a0fa64b.exe	90
PID 2000 wrote to memory of 4456	2000	349e04ad896487be6d1987e66a0fa64b.exe	90
PID 2000 wrote to memory of 4456	2000	349e04ad896487be6d1987e66a0fa64b.exe	90
PID 4456 wrote to memory of 1628	4456	DEM4F39.exe	95
PID 4456 wrote to memory of 1628	4456	DEM4F39.exe	95
PID 4456 wrote to memory of 1628	4456	DEM4F39.exe	95
PID 1628 wrote to memory of 4856	1628	DEMA5A6.exe	97
PID 1628 wrote to memory of 4856	1628	DEMA5A6.exe	97
PID 1628 wrote to memory of 4856	1628	DEMA5A6.exe	97
PID 4856 wrote to memory of 3212	4856	DEMFBC5.exe	99
PID 4856 wrote to memory of 3212	4856	DEMFBC5.exe	99
PID 4856 wrote to memory of 3212	4856	DEMFBC5.exe	99
PID 3212 wrote to memory of 2508	3212	DEM51B5.exe	101
PID 3212 wrote to memory of 2508	3212	DEM51B5.exe	101
PID 3212 wrote to memory of 2508	3212	DEM51B5.exe	101
PID 2508 wrote to memory of 4672	2508	DEMA803.exe	103
PID 2508 wrote to memory of 4672	2508	DEMA803.exe	103
PID 2508 wrote to memory of 4672	2508	DEMA803.exe	103

C:\Users\Admin\AppData\Local\Temp\349e04ad896487be6d1987e66a0fa64b.exe
"C:\Users\Admin\AppData\Local\Temp\349e04ad896487be6d1987e66a0fa64b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\DEM4F39.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4F39.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\DEMA5A6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA5A6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\DEMFBC5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFBC5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\DEM51B5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM51B5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\DEMA803.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA803.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\DEMFE31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE31.exe"
        7⤵
        Executes dropped EXE
        
        PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4F39.exe

Filesize
16KB

MD5
0bb582e27ec1a9f1f19088c2c9ada8c0

SHA1
1bc5a5df698f623cafae8d0e8664656d2dbe169b

SHA256
a0cbdf90f800e924a638426505c1a4356ca61a2fbe32b0f904170503021bb7af

SHA512
6c4144345b4e79e9de3044d6bfe7f812a51db9f37c1a46bc0b60e8308718c592e2a672299029d754daedf87b9f697fbaae73ad5083a4c20aff325e39f990ac48

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM51B5.exe

Filesize
16KB

MD5
a7ed8e293125d4f0542b09d01a1b6845

SHA1
9847de6c55236106f10c5b6e77f3bef81f9af101

SHA256
1150a8b06c86841a749cbcef28b7c3d611de1e10d93f874218cd238a40c4d516

SHA512
a728aab3b23ffbb9cc62f79379cfe6e7cda191031795f64bec4f593f39ddd355d1db4cf0a9ffc075e094b33231ad33a829cedeaa5e614485ae33583ded83d051

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA5A6.exe

Filesize
16KB

MD5
f0a5b8c8c808851bb474ad5841e07379

SHA1
80cfb441deb2c004b85d98257a7f89ba2f6ceba7

SHA256
2bf597176ee1410a37d7a0a37f65db88229df375c1f214fb658496052cbfb379

SHA512
b36b7f2a479146d260c5906983429e02b183e3e2d5335b09d4cfe7710c3f84cf6fd16420c0d75bee45a3e7b53bf876ac0d5eabb35e8153411c4bd25684bc01d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA803.exe

Filesize
16KB

MD5
dd193c86fdcaac6a0bf91e6f1a4d6751

SHA1
bb75264031ddc6b999fcfdd1eaa53ebc88eb21bf

SHA256
b80c3e67fa72af84f1b02ec15bfc2e83631f5f206b05567c8fa971a00d9db093

SHA512
f92aa747413b959b8efc661b38966959b04824972e5666fd86295772e741448b9422075ad3d16a2398c7f5173361abb51ddc6595930ca8424718861c3c7036e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFBC5.exe

Filesize
16KB

MD5
b3bbc96d112ffa039d519d18ebeb3806

SHA1
b8c9d307e2e7e41275088f16297fb30705952893

SHA256
e85f341f04ca85637264a1486a341fa726b66f32233094295d87e27385353637

SHA512
9f3a878409153d73f778ba7058a8a94ec9cffaa2778c662ae73cd469b40253663ba6e33c8f8dad461e7779c2df1034c98a782736e853339ff187e7e098273c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE31.exe

Filesize
16KB

MD5
cecad7076276dc489c18d9659a80fe22

SHA1
f3ea69d7a67a357a76a5ee97bd5a1946ca30f662

SHA256
d7058e80e8534ab19b12244ace8cfd960216d660bfe267e5f890a78f1b99c028

SHA512
e8874ff9d0940668fa4f7437f332156ad4f6e163dcc3d1972757dfa79f469d2ec05d6cf27c630b7ba2a869063c642d2ee83bcd61f34f220e5cb4a38b09baeed0

Download Submit

Analysis

Sharing