9fe295fdfa15c7570195c1992b15d6a105c9ab0819276f9c766f1f6096ed10fa

General

Target

0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe
Size

16KB
MD5

a066a8f236b44b38a9e23d6f796d98eb
SHA1

67005a2e988bacfd007e30b89d9123b12734a22b
SHA256

0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc
SHA512

a2da61ea1aa217297821c7b4d85a7c1c5ae73667456f0944da5a430eb51d680e6d14a7a6e39f0a5bfd14908921fb6b7debf47a21b45d7aa4476e6b525cbafee6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0FM:hDXWipuE+K3/SSHgxm0O

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMB2D5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMA0D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMB699.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMCE7.exe

Executes dropped EXE 5 IoCs

pid	Process
3212	DEMB2D5.exe
3396	DEMA0D.exe
1444	DEMB699.exe
928	DEMCE7.exe
2600	DEM6306.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB2D5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA0D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM607A.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3212	4848	0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe	96
PID 4848 wrote to memory of 3212	4848	0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe	96
PID 4848 wrote to memory of 3212	4848	0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe	96
PID 3212 wrote to memory of 3396	3212	DEMB2D5.exe	101
PID 3212 wrote to memory of 3396	3212	DEMB2D5.exe	101
PID 3212 wrote to memory of 3396	3212	DEMB2D5.exe	101
PID 2932 wrote to memory of 1444	2932	DEM607A.exe	106
PID 2932 wrote to memory of 1444	2932	DEM607A.exe	106
PID 2932 wrote to memory of 1444	2932	DEM607A.exe	106
PID 1444 wrote to memory of 928	1444	DEMB699.exe	112
PID 1444 wrote to memory of 928	1444	DEMB699.exe	112
PID 1444 wrote to memory of 928	1444	DEMB699.exe	112
PID 928 wrote to memory of 2600	928	DEMCE7.exe	117
PID 928 wrote to memory of 2600	928	DEMCE7.exe	117
PID 928 wrote to memory of 2600	928	DEMCE7.exe	117

C:\Users\Admin\AppData\Local\Temp\0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe
"C:\Users\Admin\AppData\Local\Temp\0c45067d94526e72e1fa730e30af0087786907c192485b85c24145611dadb7fc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\DEMB2D5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB2D5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\DEMA0D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA0D.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\DEM607A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM607A.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\DEMB699.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB699.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\DEM6306.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6306.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6306.exe

Filesize
16KB

MD5
b11e91a67aed9dd03735b536a50da6a3

SHA1
ac81d40897962ea8ed94fc3b7b85e95b278e833a

SHA256
a6f9b8db79b5b2017284d97a970e900e0177ef093e726544af8592eef395ab13

SHA512
db8d1dcafe8d229635df10c14db7586fa9c870dbd3d7f1a663f3e0deac47bd6d3aedc8356af3c3206bfdd97193d0a8e8688b79d0a9b45db0ec2f0f21beb4a026

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA0D.exe

Filesize
16KB

MD5
1eb41a8df3e1225460da3c6f8a527791

SHA1
1071f53ba7ac262f51b9be29ec825e8a5d591f2c

SHA256
fe9fbca217649d71a1c02606dcfe58e066ffdcd6bd8816b5299870f377660c8b

SHA512
27c82840c4eefdace4623515939ec1ae80e5c0c26a81ab3301bc8a0f4a2e19b77fef72a20f9b7b979c70f29fe6c621b361f6c131728b3145e92c70df361537ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB2D5.exe

Filesize
16KB

MD5
1d8564b6c76422081e2c116d79a4c1b8

SHA1
d52533076edfc5fd1cefbba31281c96de30213f1

SHA256
35552002842a7a9289508747139802b7a0a5c90e68cfe4186243012bf340a574

SHA512
e05469e5f34b4a859b04e9e974c94048dcc1705f3465e6ce1190e09d7255b9e8b5693a1326b6f39e12f4965366120776b1033fa604d170d17b681fc64006c3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB699.exe

Filesize
16KB

MD5
d875cf3537a1bd67515b99466de184f0

SHA1
81651f695c6ffea17f50265ee7354c6944130ab4

SHA256
ea98ae3ab1841e443a1fb5c2eaf84ce9a736b600bbfbc9ef26b1b37ae3257aaf

SHA512
e836392763609a5426e49fee86a6a621e5f3ab99f2185c6da581d56818e8cb1eb13332e9015d9004f148ccb5afa26fffa67f0724ce6fced0411735a1e638b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE7.exe

Filesize
16KB

MD5
ec26dfafe0f67fa93a73d09a32b326c4

SHA1
6c27af0ef80bdaa696694f2235fe313fa1a5d265

SHA256
f184e62f7d7289994df557c187e804325ee4e6f99caec419c67953c78f243c8e

SHA512
0a98ad5c9a8ec685601af4d5179454b412808ed566cfc7173c44d3238a7a6eecbf55962864c68f6d5a057d5f2994b0fdc8f9801e11d24de793948fa3bea0f2fe

Download Submit

Analysis

Sharing