dc9cd5983d04fdf14d1dabf5e985fec3f8435aab9f931de002a6dfef868ed1a4

General

Target

2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
Size

15KB
MD5

1696ec40ef9324eba72d5480547b4de2
SHA1

f257b172e0443a04d0e4425a47e7f1b83218f0f5
SHA256

2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b
SHA512

a63b5d6795c8670f1a8bc09188151bec9c3ebe8f770ef082db01530f0eba97821c1b20a832971cabbe39aa39028892f6c6df8c5b0de0131704dedc89b45a7881
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPt:hDXWipuE+K3/SSHgxmkV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEME059.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM3658.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMDD21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM339E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM89EC.exe

Executes dropped EXE 6 IoCs

pid	Process
4900	DEMDD21.exe
2436	DEM339E.exe
3096	DEM89EC.exe
3516	DEME059.exe
2296	DEM3658.exe
4560	DEM8C87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM339E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM89EC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8C87.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 4900	2524	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	95
PID 2524 wrote to memory of 4900	2524	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	95
PID 2524 wrote to memory of 4900	2524	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	95
PID 4900 wrote to memory of 2436	4900	DEMDD21.exe	107
PID 4900 wrote to memory of 2436	4900	DEMDD21.exe	107
PID 4900 wrote to memory of 2436	4900	DEMDD21.exe	107
PID 2436 wrote to memory of 3096	2436	DEM339E.exe	109
PID 2436 wrote to memory of 3096	2436	DEM339E.exe	109
PID 2436 wrote to memory of 3096	2436	DEM339E.exe	109
PID 3096 wrote to memory of 3516	3096	DEM89EC.exe	112
PID 3096 wrote to memory of 3516	3096	DEM89EC.exe	112
PID 3096 wrote to memory of 3516	3096	DEM89EC.exe	112
PID 3516 wrote to memory of 2296	3516	DEME059.exe	114
PID 3516 wrote to memory of 2296	3516	DEME059.exe	114
PID 3516 wrote to memory of 2296	3516	DEME059.exe	114
PID 2296 wrote to memory of 4560	2296	DEM3658.exe	116
PID 2296 wrote to memory of 4560	2296	DEM3658.exe	116
PID 2296 wrote to memory of 4560	2296	DEM3658.exe	116

C:\Users\Admin\AppData\Local\Temp\2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
"C:\Users\Admin\AppData\Local\Temp\2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\DEMDD21.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDD21.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\DEM339E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM339E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\DEM89EC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM89EC.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\DEME059.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME059.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3516
      - C:\Users\Admin\AppData\Local\Temp\DEM3658.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3658.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\DEM8C87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8C87.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM339E.exe

Filesize
15KB

MD5
bdbd6e76b036324dbe262ab2687263a7

SHA1
719d8ff258e6bb7cc4cb9940171ee93f0c03905f

SHA256
3ca4343ab267da5d1cbe237cea56726df2f886a32d35fab8267b8aa853d31b35

SHA512
40f1ebec7720a3b587997bc264f929349252a90b01193c9f0cc57518e810386e6fd4a2d090a3348329fb04226aa0dda89db73537c878372e6d0e45518dca0570

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3658.exe

Filesize
15KB

MD5
d4a2ff494b35caad182b0df3fcedee99

SHA1
8f94eb5bb6bed5ca807e53028b46c624bc901991

SHA256
91878224b24cfb68663957f817f61c089ad85bf0437db912b6c0cb5a51e4e28c

SHA512
848b979863b6fd7910e3148542a8f18569311158e0dab0ad126f7d499a24982990fc041a4b9267c0211988a1aed9b5b2d554eb79ddd36fb87d714a2b6b1d1b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM89EC.exe

Filesize
15KB

MD5
d858cbfdb134089f0f3268df78604f89

SHA1
47ee2cedb7725f69b6c1664a9bcb966aa5daff10

SHA256
fe1c58dd9e1406b9ee353d9dd0b325511ce0e3e681c8447b60755e8d560daa12

SHA512
949bae5773288c2d6ee49fa3702decd9b6c82e31084be6fd484115f6db8c327b84dec23adb5e8280a14604fc9388a5f22d478a1ea536d357ba1345de00366fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C87.exe

Filesize
15KB

MD5
c2615be03e24951d85fa4ed7df1c4f38

SHA1
97456cecbf06faf6fe719f7d8f850ed9896fe8d8

SHA256
923e6ead6d05f369f91879b1188d42f4a9720cb77ffe33ff544794ddcc0ef759

SHA512
87fe9d44d43eec0f5f9286b94e396ed8e57ea51b0e5189913ba0607a34ec3220a33f67107c21a46dd5d1648252752912c11986275c6069e95535fa842404ff76

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD21.exe

Filesize
15KB

MD5
d63c45a7b5607c7005dd8aa195d97e70

SHA1
ca9244a785eb5d47c332bfa52a0b7529109e14de

SHA256
1a3c72d76ba1f9a1d859a730b9d31844c21eb47495156e2f5e01f1ba857eda24

SHA512
dc3435676174c3f753e0b0efa6c16c866b214d132cba273d464a53282642f1b93c87d093542155e3e6bca11278898cc767ac2d0e76fad6cd90993132895c6466

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME059.exe

Filesize
15KB

MD5
03915f34fef2d31bde60a598b84a0adf

SHA1
a5c11ce3e89dac87a7f3cd7e30cf55b283becf93

SHA256
03abb26b77574eeaabe83529c92641f2afb680f226523ae65777850eac0aa240

SHA512
8de6167c7c681d2826e0600a4613597a7591ef71409c4097e4633d1729715b6bf6baeb4368ebae057db050bf1351ad3eb717088c4a683eeee49c3ff5ada94ffe

Download Submit

Analysis

Sharing