422963d4d341eab1542c58c7708a436e0d453df38d543128a1ed740ff71bcb2e

General

Target

8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
Size

14KB
MD5

5c118ac87060f6f205cc4793b8a9500b
SHA1

f50ed9d66033353357224576efcb2666ba9b9821
SHA256

8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d
SHA512

e51e224e68ad37d25358d07dd2bd7fa021531130e6f3d1562a14119a6013538e444a1818969ea788c3df9e475c31b310d91a156a18b1d4c8796cadc1a3c2b2e6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRlGV:hDXWipuE+K3/SSHgxoV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMBFB6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM1671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM6CDE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMC37A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM1999.exe

Executes dropped EXE 6 IoCs

pid	Process
2904	DEMBFB6.exe
3992	DEM1671.exe
1604	DEM6CDE.exe
220	DEMC37A.exe
2060	DEM1999.exe
2652	DEM7015.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBFB6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6CDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC37A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1999.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7015.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2904	8	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	96
PID 8 wrote to memory of 2904	8	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	96
PID 8 wrote to memory of 2904	8	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	96
PID 2904 wrote to memory of 3992	2904	DEMBFB6.exe	101
PID 2904 wrote to memory of 3992	2904	DEMBFB6.exe	101
PID 2904 wrote to memory of 3992	2904	DEMBFB6.exe	101
PID 3992 wrote to memory of 1604	3992	DEM1671.exe	104
PID 3992 wrote to memory of 1604	3992	DEM1671.exe	104
PID 3992 wrote to memory of 1604	3992	DEM1671.exe	104
PID 1604 wrote to memory of 220	1604	DEM6CDE.exe	106
PID 1604 wrote to memory of 220	1604	DEM6CDE.exe	106
PID 1604 wrote to memory of 220	1604	DEM6CDE.exe	106
PID 220 wrote to memory of 2060	220	DEMC37A.exe	115
PID 220 wrote to memory of 2060	220	DEMC37A.exe	115
PID 220 wrote to memory of 2060	220	DEMC37A.exe	115
PID 2060 wrote to memory of 2652	2060	DEM1999.exe	117
PID 2060 wrote to memory of 2652	2060	DEM1999.exe	117
PID 2060 wrote to memory of 2652	2060	DEM1999.exe	117

C:\Users\Admin\AppData\Local\Temp\8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
"C:\Users\Admin\AppData\Local\Temp\8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\DEMBFB6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBFB6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\DEM1671.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1671.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\DEM6CDE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6CDE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\DEMC37A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC37A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\DEM1999.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1999.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\DEM7015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7015.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1671.exe

Filesize
14KB

MD5
687d8c87919ef2b97b5937ec56ab67fb

SHA1
39d6033b4947750879f9886219ed4e57a6e500d0

SHA256
8a4f7b34815307ac8839fd77090b0cb39da021fb86294db9ccae49e1213212fa

SHA512
fdb898198ece127e2fb03b25cc1572e0712344e7be5e30cc6c044266961fc4ccca0b04be6923ec10a9527e92e39e07b07ecbce64c6aa372ccae07af9bf318c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1999.exe

Filesize
14KB

MD5
f38441a890c20173285e65521999951b

SHA1
730e5796bd5b8f0fa5d6ad66b9f7612ec80f4bc5

SHA256
d93ff65878497203c3a4534c96ee198ec5b862e4bc36b990e0000daade133181

SHA512
239e89ab91a88ded5c63e77d768aed0f6e54c64af841f8d96c8848bb50389df3d4f0fcd8f9742545b1b30d9a2d3b9c55c04c99c2d3f6e0d5764a98a9ae380f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CDE.exe

Filesize
14KB

MD5
29cb29019f33d13c6a52f57f23e63a9a

SHA1
d95a41eed71cdd8fbdec48942b140c19379a6585

SHA256
c2c076c768ea89dcd498ff86fad95dcbb75e4e1407c1a964234e07fc358618cc

SHA512
d7c3afa445d84ed655c4a538d5e1e0bf84ad36516322a76d137ebd2bc5603352175e463bae0dca2c88b39fdb41cb80448c5c8fe1d31d785077afc2514f7badfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7015.exe

Filesize
15KB

MD5
0ef7b4118b8120f78bae88a3b05c9a71

SHA1
229c0c436eb415f043c199302ec36391ed06eb31

SHA256
acf5ed9544bdb9526c241b55c90ecb29385fd8b91cb8ec3b80f967b5b737d489

SHA512
dae802f5fc3975e0fd69f93ebf0ad729d0a569b6502a8f1d5174004387153a8c0f3f314bcbc6d6b21594ee42332b3eb65ab6cd7c779296b917259f1fbe9ed4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBFB6.exe

Filesize
14KB

MD5
e2fb3ab4013af441ff5a1529b7f7a67e

SHA1
78edb6617553662a2993bff5608c302be737e0fb

SHA256
71bcd6f5a94ac04659246a6ba015e9e18299d06fb2949ae79f18404c263d72f2

SHA512
25500951be673b66109596520b324874c051ad5110fe9f5d8c107bbcd8e8b53a65e58567b6d186ed98e25f19497a8e73b34cfea8e8d72b0ac08c58c2f74e0a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC37A.exe

Filesize
14KB

MD5
45ccc20095db1b11a0c21745ef81f74b

SHA1
b10873ca087b2cffc5fe5c49a7bd912a14f7ba51

SHA256
a553a09736132f2230cba6a2d8a71e205b4b208b68808a0eea73571cfde54c35

SHA512
2722585431843e15bc60cc358b5010b80be901e740f577fa94c27092baaa64d74fcdbe286c866e9fc6202ff7e187c782ffad3b8c4e43134f2c1ab77342178f42

Download Submit

Analysis

Sharing