d2682ba6d36d4778de7bfd10a46a92d8bf4a5a59f0aaf0bc57edb8f3e61d2674

General

Target

58f884145d98e60ca6a9c1ad3bda3e41.exe
Size

14KB
MD5

58f884145d98e60ca6a9c1ad3bda3e41
SHA1

39319fbe161bfa7e90feb673dbdeb57460068bfe
SHA256

d2682ba6d36d4778de7bfd10a46a92d8bf4a5a59f0aaf0bc57edb8f3e61d2674
SHA512

494ed45c590886af32571e3152aecc6cde2bac18c64e316bf78f6e2b074cbdef8f197dc392fc45708672b25534addb73e9a18256d07344dee1cf8f7d44e6a39a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYsCI:hDXWipuE+K3/SSHgxmk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM48F0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM9F7C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMF5AA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEM4BC9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DEMA19A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	58f884145d98e60ca6a9c1ad3bda3e41.exe

Executes dropped EXE 6 IoCs

pid	Process
3956	DEM48F0.exe
3912	DEM9F7C.exe
5052	DEMF5AA.exe
4284	DEM4BC9.exe
4580	DEMA19A.exe
624	DEMF7C9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3956	2160	58f884145d98e60ca6a9c1ad3bda3e41.exe	94
PID 2160 wrote to memory of 3956	2160	58f884145d98e60ca6a9c1ad3bda3e41.exe	94
PID 2160 wrote to memory of 3956	2160	58f884145d98e60ca6a9c1ad3bda3e41.exe	94
PID 3956 wrote to memory of 3912	3956	DEM48F0.exe	99
PID 3956 wrote to memory of 3912	3956	DEM48F0.exe	99
PID 3956 wrote to memory of 3912	3956	DEM48F0.exe	99
PID 3912 wrote to memory of 5052	3912	DEM9F7C.exe	101
PID 3912 wrote to memory of 5052	3912	DEM9F7C.exe	101
PID 3912 wrote to memory of 5052	3912	DEM9F7C.exe	101
PID 5052 wrote to memory of 4284	5052	DEMF5AA.exe	103
PID 5052 wrote to memory of 4284	5052	DEMF5AA.exe	103
PID 5052 wrote to memory of 4284	5052	DEMF5AA.exe	103
PID 4284 wrote to memory of 4580	4284	DEM4BC9.exe	105
PID 4284 wrote to memory of 4580	4284	DEM4BC9.exe	105
PID 4284 wrote to memory of 4580	4284	DEM4BC9.exe	105
PID 4580 wrote to memory of 624	4580	DEMA19A.exe	107
PID 4580 wrote to memory of 624	4580	DEMA19A.exe	107
PID 4580 wrote to memory of 624	4580	DEMA19A.exe	107

C:\Users\Admin\AppData\Local\Temp\58f884145d98e60ca6a9c1ad3bda3e41.exe
"C:\Users\Admin\AppData\Local\Temp\58f884145d98e60ca6a9c1ad3bda3e41.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\DEM48F0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM48F0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\DEM9F7C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9F7C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\DEMF5AA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF5AA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\DEM4BC9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4BC9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Users\Admin\AppData\Local\Temp\DEMA19A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA19A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\DEMF7C9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF7C9.exe"
        7⤵
        Executes dropped EXE
        
        PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM48F0.exe

Filesize
14KB

MD5
d76edf51915fb6ee928cb98f0bc57f36

SHA1
aacdfa549dc79423979a10b3d86ff505e5d8289a

SHA256
2013431388dd514cae924c5a904557650717fa95d564d749042366c0b6f35d88

SHA512
d0e99df334a90ab06bff584bf6f9887e4070e55aace8d9fcb24c8dbeef4860ca76d40820c9739388651a12bf414fe2624dedb75fa4e61d3a7fbf4912c615f259

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4BC9.exe

Filesize
14KB

MD5
14ba798bcb4c74c85b86dfbc4044531c

SHA1
f2cd0e5248c75e284840d9a9da8be127b70dae9b

SHA256
7356b424725a56701d43a112840552cb2ba336ad4a41e56256ee7f06f74340a1

SHA512
e1ac6933c4edef6259fa9b511010ecb5099834051beaf9f753f60ea53274f672df1e51b78a65071db69fb9b517fda9e04307ff792b475729931f2e297127b1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F7C.exe

Filesize
14KB

MD5
7ab0a3bdb9f80bc7b16a9874a5f72f8e

SHA1
99bffc9c96c26ea7782987a3ba0e2c1c7c3da488

SHA256
c6cf4cdee32dd1ae87098900ede71c2ec2eac70e75bbee9b8348c9bac7d9c1d1

SHA512
c1f4b9ea8fd3de368bafdf9a50b6068b2416c295efa4f7800cc340a0be4830c01968d155d0c4f8faff0af0af12cddc642cbf6dd0b702888951cb7e66f92295a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA19A.exe

Filesize
14KB

MD5
2b0578c87ac1e0f9cf5a1d46d74dc967

SHA1
b656229947e37089724993764a5132b09f31f582

SHA256
e848254837d7fbeab359504d0daf88a23eed51f4f50972146a5fc2b81bcbf0c3

SHA512
94b76165b4fb0213f220d80485efbf23b68d177801a753f2e9a0b2457118a8afa26ab9835fa046f4715ca3d504f0062a600c0453b4aa98eb2d074f51e6972a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF5AA.exe

Filesize
14KB

MD5
f928d97374a31a22a23b991714fb4562

SHA1
f89b2e9bf074b4cca535d0c45d226e730f56df5d

SHA256
1d37c0c74abd837dd5a16adf046d59a9ee670aab3fce48d84c7678221934926a

SHA512
18ed21a1b133b7b887c6f3cfb439a463e2ff025f4419903da286ec7af082b8a0cab0137c8130b02bf7babc5fa65ad68983f74662f8c3a4b6a2403839672959f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF7C9.exe

Filesize
14KB

MD5
227768d20af6c562ebd1160fe4845dd1

SHA1
460e1e7cf7f5ae0526155076f64497d7ebd2a117

SHA256
aa44ec8839cdca6a5a4cceb49604cbf44db70d86e4d5c8e9fad8a32b4afcd58c

SHA512
ee64432780ab97988b1d20edf77023f0e1f025585fe21f261ba466bb4d06763bca6d9e3fe3930da0f7bc7c5bc7b49cf18ad38fa25d0b9db1a9d36b0c83f598b7

Download Submit

Analysis

Sharing