22d04620e04138238b6777bbf5cfdfd2f76b629ff5ef70c41d8aff2756a48213

General

Target

4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe
Size

16KB
MD5

bee868a3a7dd100646c3ec7da39dce97
SHA1

6aa880a1d6bdd01b99854b8e548bbf6b9c89853b
SHA256

4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b
SHA512

6bfd8eb96f0226309c7de60896098d4d263798e13632eae9c7d4e379a55d7c5bad82e859bf78e7c6c7e1fea6df9eb476447cb52cd5dafd4b90d525b3a46df052
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhayPc:hDXWipuE+K3/SSHgxZ0

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM831A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMDA04.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM30B0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM8671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMDCAF.exe

Executes dropped EXE 6 IoCs

pid	Process
3452	DEM831A.exe
4980	DEMDA04.exe
4408	DEM30B0.exe
3600	DEM8671.exe
4940	DEMDCAF.exe
1616	DEM3261.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM831A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDA04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM30B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDCAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3452	1140	4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe	96
PID 1140 wrote to memory of 3452	1140	4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe	96
PID 1140 wrote to memory of 3452	1140	4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe	96
PID 3452 wrote to memory of 4980	3452	DEM831A.exe	101
PID 3452 wrote to memory of 4980	3452	DEM831A.exe	101
PID 3452 wrote to memory of 4980	3452	DEM831A.exe	101
PID 4980 wrote to memory of 4408	4980	DEMDA04.exe	104
PID 4980 wrote to memory of 4408	4980	DEMDA04.exe	104
PID 4980 wrote to memory of 4408	4980	DEMDA04.exe	104
PID 4408 wrote to memory of 3600	4408	DEM30B0.exe	106
PID 4408 wrote to memory of 3600	4408	DEM30B0.exe	106
PID 4408 wrote to memory of 3600	4408	DEM30B0.exe	106
PID 3600 wrote to memory of 4940	3600	DEM8671.exe	115
PID 3600 wrote to memory of 4940	3600	DEM8671.exe	115
PID 3600 wrote to memory of 4940	3600	DEM8671.exe	115
PID 4940 wrote to memory of 1616	4940	DEMDCAF.exe	117
PID 4940 wrote to memory of 1616	4940	DEMDCAF.exe	117
PID 4940 wrote to memory of 1616	4940	DEMDCAF.exe	117

C:\Users\Admin\AppData\Local\Temp\4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe
"C:\Users\Admin\AppData\Local\Temp\4eecd5d3a0a9ab0fff8883a40805b4ac9cf3f219ce641313baea80d2c8657c1b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\DEM831A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM831A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\DEMDA04.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDA04.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\DEM30B0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM30B0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\DEM8671.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8671.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\DEMDCAF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDCAF.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\DEM3261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3261.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM30B0.exe

Filesize
16KB

MD5
d50b7baa027f91c6ea1ecb31ebafae55

SHA1
5c96f4fe2a32fdbf8b52aceb8626a54fa481083a

SHA256
e824e5f64fa2c19f41c0c2bea71bce0f99e682feeeaf05e2221306e6877482e2

SHA512
e8b9e686c7001a0cbcab3c24bb4efae6f85c6bfd52f72d259fd42182dd26d85cc9cd2b8339b7dbe939e7f8987a7b19290ec8d0613218d7d2bee66b202def890f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3261.exe

Filesize
16KB

MD5
7f921a2bc9f5652ac2fe331bbe1c2a91

SHA1
020c65d4ad7edd08f2b3d6cdfee59ccf36923675

SHA256
a5f6d3206fc547cd7726927a4c35bbb2601e4f4e5443584f33844c1ebe8d1508

SHA512
b5c221ad1a811aaf9befdf4dc0395627ddfec80c627fd48fbde415f98c7570663640cf2777d5d9bb1869bcf8d9ced39b234c4ea6179cf347162894f4c43aadc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM831A.exe

Filesize
16KB

MD5
6c8877beb0b4d3a35afd28f222b7b349

SHA1
78abb4862844e668645975d81ba3908c6adfd915

SHA256
8c3ab553e9cf975383562882d9eb8bf6b1e67ffa46c9947abf999e3c4e99b1f5

SHA512
0e327435aea4b311e6e3813ec1c4dc15a2c9b95d737b7f7c05dc49026adb2c3e464c08038473bed4e6c8318865b157db7a2c233b09b6c98232690c27aa4d5b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8671.exe

Filesize
16KB

MD5
477392b3c80b47ec778746acc9a088b7

SHA1
a407e5d71f94cc9ca13d82f55d877d443b336fa0

SHA256
07f38415bd3931727540ef49775dc89aa9e5aa63bee3f8cab9a506a809887ea9

SHA512
16263adbcf333703ce062e14b03a60b96b87c18c46e5a5e4136c1848156ed9d26c350aac61d915d5b9b5c437e8520fb1ddadd919932938c4b947394d8ae6e0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA04.exe

Filesize
16KB

MD5
1d54d8f778402610483e4c1ae18e1d71

SHA1
852ae693414022220fc57a6c3de0fcc94e6445b6

SHA256
0435ba70dd27ce0a71bfdc5cc858b5088a1cd0cdb206b3fd452c2305f126dcb6

SHA512
88f49eff8e18aaf7798d71f14e28d6319186c71b15c27d74e2cafc8d3a6ea0c566c0691cc53ad0f6464b8993c687d0600cfee99795ea83036da31a1cb270a68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCAF.exe

Filesize
16KB

MD5
b1cc46b432ce9ca31768b9e0a37a59ca

SHA1
22793bbfc482453183b23b0cdfb664f6502fea7a

SHA256
f18860773b7c85a0d999341eb8d69dc47771ba643bb6e921aefd27da3583e8d8

SHA512
376cad13387e0ef99bb4db255b1de8552b7b51ef2f756d4b2c82f7bc2fcc1dac8203473f31994feacdbd5863dc3a2b4fa4a2dab93ab5d3966fbc9d14dd1e4002

Download Submit

Analysis

Sharing