85a5da72c9f70afeed5bd8729f01d2e11ff6a4aa6cc288155b54f8fe6b5f0e6c

General

Target

7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
Size

15KB
MD5

a2b031369fdf150f953a9ebb0b023436
SHA1

9469226820ab5540f2c2fba8543d2f3eabb2c17f
SHA256

7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595
SHA512

565cb3ef1a508bf9342d0ba74df664f728ee03742206ee74ebc4fbe093a9edb1bfd6a08baa4af40ad7fedb9dfbb7390c6e3489e8139941fbb44426d7a5744505
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6Qi:hDXWipuE+K3/SSHgxmyh6Qi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM10B0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM66FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMDA7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM64C0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMBAA0.exe

Executes dropped EXE 6 IoCs

pid	Process
1140	DEMDA7.exe
4328	DEM64C0.exe
2808	DEMBAA0.exe
3476	DEM10B0.exe
1356	DEM66FD.exe
1352	DEMBD5B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBAA0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM10B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM66FD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBD5B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDA7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM64C0.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 1140	3296	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	96
PID 3296 wrote to memory of 1140	3296	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	96
PID 3296 wrote to memory of 1140	3296	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	96
PID 1140 wrote to memory of 4328	1140	DEMDA7.exe	101
PID 1140 wrote to memory of 4328	1140	DEMDA7.exe	101
PID 1140 wrote to memory of 4328	1140	DEMDA7.exe	101
PID 4328 wrote to memory of 2808	4328	DEM64C0.exe	104
PID 4328 wrote to memory of 2808	4328	DEM64C0.exe	104
PID 4328 wrote to memory of 2808	4328	DEM64C0.exe	104
PID 2808 wrote to memory of 3476	2808	DEMBAA0.exe	106
PID 2808 wrote to memory of 3476	2808	DEMBAA0.exe	106
PID 2808 wrote to memory of 3476	2808	DEMBAA0.exe	106
PID 3476 wrote to memory of 1356	3476	DEM10B0.exe	112
PID 3476 wrote to memory of 1356	3476	DEM10B0.exe	112
PID 3476 wrote to memory of 1356	3476	DEM10B0.exe	112
PID 1356 wrote to memory of 1352	1356	DEM66FD.exe	114
PID 1356 wrote to memory of 1352	1356	DEM66FD.exe	114
PID 1356 wrote to memory of 1352	1356	DEM66FD.exe	114

C:\Users\Admin\AppData\Local\Temp\7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
"C:\Users\Admin\AppData\Local\Temp\7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Local\Temp\DEMDA7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDA7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\DEM64C0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM64C0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\DEMBAA0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBAA0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\DEM10B0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM10B0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\DEM66FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM66FD.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\DEMBD5B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD5B.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10B0.exe

Filesize
15KB

MD5
25b0716f785f1eaeae4a9e77f2eae73b

SHA1
c267b8af2ec8b0260c931e033e67121582525c9c

SHA256
4e80a4fb9f2d46310df8a583e4d83c134c310e7b6688933187c3272721a3ba28

SHA512
7ad4f4837fbd064907aa0736df3ce9d6cafe4bb53a77c42b8585f6015857cc932907dc8f1ad3c38614b45a5bbf10fc873631cf06f8694573a1309e4d2d1d3904

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM64C0.exe

Filesize
15KB

MD5
98a4548ea4f7e5a8635fceef9632f20e

SHA1
4a268d4850f2f034f0f6d1d552077c172b57bcfc

SHA256
9ce96d00ae7c6e8d354184f7266900d81628f8b5071f7c09c296926b719b6037

SHA512
756f002bdb13a9882314e6c2ea83caf4a80a109c304e93cdb7862edfa7b3e1237acc14f13bb75e43cc8cbf533447e08484a88598a7da9d11a343cbdb1f126cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66FD.exe

Filesize
15KB

MD5
54ea736327f7ca2008b4aec1fa6fa96d

SHA1
664b3b1939da95ecf6f68dee22892e74a552f5e7

SHA256
13505b9226ea5ae2af38ae74805720803a5057b75c1d67391461d32aba95f358

SHA512
5a30d0d6c74c856b224f97ff9609dad29f49baa1307bb06af27b85fb1926e9680d63b84d5f10c8b9a331675007dc05e768e72924a94669cc1bc266c10b088384

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBAA0.exe

Filesize
15KB

MD5
68e4fce3b00004361d54a33b853bee85

SHA1
0b1f84ce1a70057e11ddeb356c23f82970b7400d

SHA256
67c073b071fe4bf40dbc3f96de30a03f761286e4e0675968df7cb90bef585fd2

SHA512
4eed5693ac41b4873857b23669b2f100c25f9147e583a3707d644a72580033ce3a52b83214e13abeb7aec7ce9f10294088add8888a6a0adbbb7140fecdf8344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD5B.exe

Filesize
16KB

MD5
f76e381bccd541a93a8c7ca0cc8a133f

SHA1
7a28d9c786c0826e8683c531bbd884b30663dc92

SHA256
da49f5f021a9e6c1ab0224d3d9c61395749cdda5c4aee863b927a3e96e65aa62

SHA512
099cd7bd372d9e3b5e984c6cb4de8d243c5ec7889702dfb6da70208130ce06788fc7ed97b638bc312e27df898fdfa51c50fd8ac52bdf6045a4a4e9e9cb165e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDA7.exe

Filesize
15KB

MD5
0a9f8375095507133726c7fcc3e4d0c2

SHA1
0412663ca416b0d6f2a5ec80582ae5167dee3677

SHA256
3e18606b25de011450874c067778aff309c5590d3b75fbc41cc0a5a721ca7b4d

SHA512
bfca718d97e477ab1b371f0de6e20795fae4a8068fb5e083505f039e23ac95392bb5be511861782eda52e1bf7063761589c6b5f1d6b494346318ae46e55a9f62

Download Submit

Analysis

Sharing