af43f41b601c6f278b66515ae2b60c761a10bca231ea7372c77be72f4a90edf8

General

Target

1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
Size

15KB
MD5

81e80a483584cb9c82e050bacb63175b
SHA1

51566d797ca743d5f778fcd4a4db0508a0612cee
SHA256

1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf
SHA512

94fa15748244203a6ab92240ca45e4368e1b92e7b04ae01f3163f873fbe534420481f245e471a7674676139d3a5a7be0d96d3fdacd961d9b8b725a8609eb1436
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6QK:hDXWipuE+K3/SSHgxmyh6QK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM2A95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM824A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEMD944.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM2F24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	DEM864D.exe

Executes dropped EXE 6 IoCs

pid	Process
4404	DEM2A95.exe
4000	DEM824A.exe
3968	DEMD944.exe
2524	DEM2F24.exe
3524	DEM864D.exe
1696	DEMDD75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2A95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM824A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2F24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM864D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD75.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4404	4284	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	104
PID 4284 wrote to memory of 4404	4284	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	104
PID 4284 wrote to memory of 4404	4284	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	104
PID 4404 wrote to memory of 4000	4404	DEM2A95.exe	109
PID 4404 wrote to memory of 4000	4404	DEM2A95.exe	109
PID 4404 wrote to memory of 4000	4404	DEM2A95.exe	109
PID 4000 wrote to memory of 3968	4000	DEM824A.exe	112
PID 4000 wrote to memory of 3968	4000	DEM824A.exe	112
PID 4000 wrote to memory of 3968	4000	DEM824A.exe	112
PID 3968 wrote to memory of 2524	3968	DEMD944.exe	114
PID 3968 wrote to memory of 2524	3968	DEMD944.exe	114
PID 3968 wrote to memory of 2524	3968	DEMD944.exe	114
PID 2524 wrote to memory of 3524	2524	DEM2F24.exe	120
PID 2524 wrote to memory of 3524	2524	DEM2F24.exe	120
PID 2524 wrote to memory of 3524	2524	DEM2F24.exe	120
PID 3524 wrote to memory of 1696	3524	DEM864D.exe	125
PID 3524 wrote to memory of 1696	3524	DEM864D.exe	125
PID 3524 wrote to memory of 1696	3524	DEM864D.exe	125

C:\Users\Admin\AppData\Local\Temp\1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
"C:\Users\Admin\AppData\Local\Temp\1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\DEM2A95.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2A95.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\DEM824A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM824A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\DEMD944.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD944.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\DEM2F24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2F24.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\DEM864D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM864D.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\DEMDD75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDD75.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A95.exe

Filesize
15KB

MD5
2ee3c53a7e31fa12f40386400f33a016

SHA1
98df31c8cff831335829cecc942f06a1dfd02299

SHA256
d21bf4405042a8f868fff2ef5ae515911ff18b4774149c961c16435d034ae5c8

SHA512
545387a936be4ebcfa52b38063e6dcd64ce5bb5770491c59cf1ee5eaefab9852aca06a93e2168df2cbd6d4efeab4307e7228cdd44e61020fe2ac577e165c2e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2F24.exe

Filesize
15KB

MD5
0da1ca3a3b4971148db2d8304b144631

SHA1
e20599cac676547326efccdca4f7f7957e200428

SHA256
2a7f6b72b7f9f19476a5a3aa3cc41bf9d58156181d106cfcd1fc222cd0694d70

SHA512
04a6875e4c80c9a439a6df734168c244a2de909b554cb32bead52447f7cf1e3e1ad75cf2529fea435db824758403339fb3b8d74a3b551cdbc6197f1a9ff58c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM824A.exe

Filesize
15KB

MD5
fb8e59a0f7a65e9f3ad0a7e0908761a9

SHA1
135812185a5f9647b598a70965dd26aa7995caff

SHA256
ddaab0ce1b096323256043b1089afed25cafa7a626562d9fa0965bd03dc240ac

SHA512
148162a421f253dd42baf48ecd67a46b70bab8b6132ae0f33e0b740db466e80f553a814a55c08a286d7ca0ab13b6af3771a15570eb942ef379aeb1e268730577

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM864D.exe

Filesize
15KB

MD5
3912285b75daba588f877c0d0923dd51

SHA1
fed3842c11d09032408027300ea5df4bf09308e3

SHA256
d189201687d9d4a29f28c4e207472659c8f56e5e1313c049970c6aac2b3864f7

SHA512
2d331046e67d7f2ca26e5bead13061a2d97c667170ae0e5f8dec215399e66433d2381749a28ca80e78fb9f66cc4a86e2383aa2cfd594ac63786683faa3860a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD944.exe

Filesize
15KB

MD5
5b853385a8d35e9901396c3f41c7fe64

SHA1
b60b9921117c64ee6c5b0840b1db836c85d0764a

SHA256
da965d8441319118cd309a9ed15d6b974c85454ff50d8cbf851030469c18c5b9

SHA512
3a9a7d9baa0db428aefa47e6e4d57b3a4fb66b456ef5f5b22a1de05c032b8ea9ee7a6be82c4cbebc1e8a28dd7b443a5e6934629abe9b3259edcc641e04066bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD75.exe

Filesize
15KB

MD5
c2c4cb92768872ddcdd052541f08217b

SHA1
d64af5d0758588c25f258c84bbc42a97068ef4e2

SHA256
f9c5fa04e766c639d8e6710ee0253e56ceb44b922e7a3050409ea6ece41359f0

SHA512
797df46be9b1666ab9bd3f5cfefa6e36ba3b2608b94fc17dfb5ecde523330c69306e7e515547e859e141de423d68b061ad3da8796a54a5f4f32c824fb9b50fdb

Download Submit

Analysis

Sharing