84a3fcfd44a2b88d5ce2457abd84ee89f27d5fd7ee33c9774816489b027984f9

General

Target

461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe
Size

14KB
MD5

2af9e2abf1007372116f8c7bed8288f9
SHA1

19a77bf4311fb4929f9c0f5d0925827e5c83b001
SHA256

461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3
SHA512

4f9fa9f2d278f9aa7c5580f8abd07e7473426c4743ab8bac822741e6b059eeeebedb6392d286179a5f35a0a7e13c2224b024878caa504df0b6db9fce99d5eb66
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYDspLP1:hDXWipuE+K3/SSHgxmgp1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM1DEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEMC3BD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM1A78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEM7105.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	DEMC772.exe

Executes dropped EXE 6 IoCs

pid	Process
1812	DEMC3BD.exe
3540	DEM1A78.exe
1072	DEM7105.exe
3508	DEMC772.exe
972	DEM1DEE.exe
1076	DEM743C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC3BD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1DEE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM743C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1812	4604	461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe	97
PID 4604 wrote to memory of 1812	4604	461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe	97
PID 4604 wrote to memory of 1812	4604	461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe	97
PID 1812 wrote to memory of 3540	1812	DEMC3BD.exe	103
PID 1812 wrote to memory of 3540	1812	DEMC3BD.exe	103
PID 1812 wrote to memory of 3540	1812	DEMC3BD.exe	103
PID 3540 wrote to memory of 1072	3540	DEM1A78.exe	106
PID 3540 wrote to memory of 1072	3540	DEM1A78.exe	106
PID 3540 wrote to memory of 1072	3540	DEM1A78.exe	106
PID 1072 wrote to memory of 3508	1072	DEM7105.exe	108
PID 1072 wrote to memory of 3508	1072	DEM7105.exe	108
PID 1072 wrote to memory of 3508	1072	DEM7105.exe	108
PID 3508 wrote to memory of 972	3508	DEMC772.exe	119
PID 3508 wrote to memory of 972	3508	DEMC772.exe	119
PID 3508 wrote to memory of 972	3508	DEMC772.exe	119
PID 972 wrote to memory of 1076	972	DEM1DEE.exe	123
PID 972 wrote to memory of 1076	972	DEM1DEE.exe	123
PID 972 wrote to memory of 1076	972	DEM1DEE.exe	123

C:\Users\Admin\AppData\Local\Temp\461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe
"C:\Users\Admin\AppData\Local\Temp\461ac7c4d56cfd8edefb578b497f3bb5e453808b41112a65958828779c896bc3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\DEMC3BD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC3BD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\DEM1A78.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1A78.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\DEM7105.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7105.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\DEMC772.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC772.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Users\Admin\AppData\Local\Temp\DEM1DEE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1DEE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\DEM743C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM743C.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1A78.exe

Filesize
15KB

MD5
c327f9f20f6653813a8a1304e749aa3a

SHA1
59239e9bf9d2ab81de92ef6db8201430ad58023e

SHA256
511c0f7857df5a5a60ebea8a95eeb842af4eaa55837281ad19611d1935f6987b

SHA512
292d0a6898cbc55094539ced3ff48da2ee6551051bc1c790b43cf649705be767da8f19dcb5d68977872cb1f57e8f55054fbdd04abed78d1d2b0ae44c1ed76913

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1DEE.exe

Filesize
15KB

MD5
fb68f974d6fedb3a5aba78e34fd9b354

SHA1
4acd965e6fa53e66ec64c8554711384b438d7242

SHA256
9d8a0f0bd410dfb07c55ab00090f7faec375519948568c4adf98823311415e45

SHA512
a6f24de7a1e293d053b09882f8ab277f9b841894295fdd444ccfb05062dc0fca28b6797d4ca8e83ecbc6af95d2765ac59152cae073fdb749556aa9c7ef14d437

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7105.exe

Filesize
15KB

MD5
9dde414eb054149f8579243e9ba8183c

SHA1
5bcdbe85805f03dc9be785faf20305a72a7330a6

SHA256
d064e7a3608def82f789603b3fb01398f408510b4c158a592834a4e4ad4156ec

SHA512
3566ac5cbf0ed7dd754b6969257a6dd2dfcde1d9e464739030701187ae0f92107866675a91874b3d55d057ae50443ae2d76a8cd8ddb23a5252baf5a04cc4d031

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM743C.exe

Filesize
15KB

MD5
dd427b1a198384181e9b4470e24f1b04

SHA1
4ec3b6342c14e5ef80c6d9567bcbd5b302503714

SHA256
96f86d0bcbcf0b572cad09a926e44002ca7f9c5201ea74d2b33365e2d2fe9097

SHA512
ad97fe9903d28b3d0762ba563ebed6fbfd072a98cc34a51dd496eaabb6cb5c6466953000e09ddbde91940beffa44caab0231f55836b0efe49ee041b8906374b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC3BD.exe

Filesize
14KB

MD5
937d36c5d5271d44035fdbe4043cb539

SHA1
6f4d92e2a62ea94822412909ae62fda437b983fa

SHA256
adbd621bbf76eb11a2965a66fa20c981b96a5f869991b538077f2b8c35dade6a

SHA512
bfc416a1d4528118a2fc0f688dbf2371fcd4defc2538684e104d13dd92722ec45e272daf6c05dd8cf8a35a287de2f88c27e2b0ed98624edfb032b4f1d03e7184

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC772.exe

Filesize
15KB

MD5
a3904094d2510227de802f87902128f8

SHA1
4f9b66452f4360fca3557333790f53390ca7cf62

SHA256
984a9b0225b00e6541f0ef7d5e6dab903cc31aa47777af5d0601c6e749043e0e

SHA512
f85fceb42455261656842f17c780c5ea0cb5264a7cde6c1f52e5a79f42878ee1c2ab561dce39bcd8c56d87a14898addd5b2f34aec31734ddc9a7512903b62dad

Download Submit

Analysis

Sharing