3f0763f3304cd6dd175893a2146e78e3d224b29c627d2a476a044f715d2a84fa

General

Target

0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
Size

16KB
MD5

6e1d294a95c002ff59d6f2af282f108c
SHA1

7f5ac39b0b6f6ef1689e20940c94a3e33a39e8df
SHA256

0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf
SHA512

091b2dc8c1f7412420423b54010b92ba3af8c10050c7fda351f3c1499703739b4a676f3ce71e9868d648a7556753933dd502a02acb1fcfbe47e991323918e335
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhn:hDXWipuE+K3/SSHgxl

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMC937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM1E8A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMC5A2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM1C9B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM7308.exe

Executes dropped EXE 6 IoCs

pid	Process
2992	DEMC5A2.exe
5052	DEM1C9B.exe
4800	DEM7308.exe
3984	DEMC937.exe
264	DEM1E8A.exe
3508	DEM749A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC5A2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1C9B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7308.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1E8A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM749A.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 2992	3328	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	96
PID 3328 wrote to memory of 2992	3328	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	96
PID 3328 wrote to memory of 2992	3328	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	96
PID 2992 wrote to memory of 5052	2992	DEMC5A2.exe	101
PID 2992 wrote to memory of 5052	2992	DEMC5A2.exe	101
PID 2992 wrote to memory of 5052	2992	DEMC5A2.exe	101
PID 5052 wrote to memory of 4800	5052	DEM1C9B.exe	104
PID 5052 wrote to memory of 4800	5052	DEM1C9B.exe	104
PID 5052 wrote to memory of 4800	5052	DEM1C9B.exe	104
PID 4800 wrote to memory of 3984	4800	DEM7308.exe	106
PID 4800 wrote to memory of 3984	4800	DEM7308.exe	106
PID 4800 wrote to memory of 3984	4800	DEM7308.exe	106
PID 3984 wrote to memory of 264	3984	DEMC937.exe	115
PID 3984 wrote to memory of 264	3984	DEMC937.exe	115
PID 3984 wrote to memory of 264	3984	DEMC937.exe	115
PID 264 wrote to memory of 3508	264	DEM1E8A.exe	117
PID 264 wrote to memory of 3508	264	DEM1E8A.exe	117
PID 264 wrote to memory of 3508	264	DEM1E8A.exe	117

C:\Users\Admin\AppData\Local\Temp\0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
"C:\Users\Admin\AppData\Local\Temp\0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\DEMC5A2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC5A2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\DEM1C9B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1C9B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\DEM7308.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7308.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\DEMC937.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC937.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Users\Admin\AppData\Local\Temp\DEM1E8A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1E8A.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\DEM749A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM749A.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1C9B.exe

Filesize
16KB

MD5
48963eea1210610e32f2b509cb9d22b9

SHA1
69a7a9e0cf773e3687c9eacbb4f25220c6482131

SHA256
fe73d7e16a72c241d5ff6b834e08b54aebec06eaa364c604ad0a6c5ba75a26df

SHA512
7456fe36c62ae024f253b06f724eca314694a5f608eead4b9948131ce88d478cc4fd588fd2a4bb57755b5a76ee45280085a4d55aa8ac1fee466a79d02470a7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1E8A.exe

Filesize
16KB

MD5
5c8ea924f07a6e56cf27a9e511b939c5

SHA1
ef4922740f71332d5f14e2f48dcd6aa96ba6ef7c

SHA256
726b2e2c11f0d1a27de7af862cbbebeac6091328682bcf1588a6cddf7061e875

SHA512
55e6cdf8e1a87258aebb260d282edc2a45fd480ac16a44bdf8777c61a972ce7b48a6034cceb0c5d2b3c4fbe93af1bdf54fa21b16e5140ba8b90ae53171bd2c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7308.exe

Filesize
16KB

MD5
05aa9b1e5271b70bc83103a4000caaf3

SHA1
d78ec72433054e2ee38fa6aa0d6bec61bbc7527a

SHA256
f5475edb387d39868671a51f2fa5227a6370bce1020e029003bea95613b27840

SHA512
c76bb3f3508b64aebd336a14371dd1c0d110b091b3c6da02d29959b903abbfda44540d1a07cf7dcc815f88e4193b66ae686d3a7eaa25d749da83cb42c67d6793

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM749A.exe

Filesize
16KB

MD5
10f75903206abefd63249ae7af73f3f4

SHA1
e309881aa2e37bc462eda96ad4cb419648b17be3

SHA256
bf6a8fb365daa59f0464ec56c29ee5902320b268bb7682534e1ea9980386fb8b

SHA512
a682c5f28799f783f1c6359aa8de4ba59e4461618d927fd59e251d3596f4273ccd6f51df2f106ca737bfbbc5c11fcf973930ffe14a184ebec8ae912d7cf3ed94

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5A2.exe

Filesize
16KB

MD5
39b80e8d090bd0df9e7a0f55447c6398

SHA1
0d06954942eb5ca948943b74af5c4dfe72f68bfe

SHA256
55cb413dc7637df539af73c9367324ed870e4e5c38524518cf8c3a93cbf81e30

SHA512
ba63e85ba0eb20e23d6f6f76d650e41e85288e16653821e50e506b4762e9f455e1bcf22d567cec8f8ec947b456f17d44e12064a7d16961bb866a4b68833077df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC937.exe

Filesize
16KB

MD5
8ad48cb4724a67c19077736a148e9db6

SHA1
77939bf0265600cb0494d9a03f58efa129efad63

SHA256
b6fa0e20efca65141c74686c78e59db9c57fb5ea7e48ced75f3088d07eb2486c

SHA512
4abe2966eca46cfca0fad24f2a5b68cc1eb51e20cfef0e0ed9092f2d97a9a1a211fb786ad998d96ccbc3f150fd3806bac2d2214563a0f5658053f62077cdf140

Download Submit

Analysis

Sharing