7adc97cf9381af4436a65c2b81133fa3875d2a15ab84274d4e75fa9cdcc812b6

General

Target

6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
Size

14KB
MD5

c1dc82e8bccf41b3034319d13c6b17b9
SHA1

9c06a9ff8da37f825a20a3e59ec36c8f66f82f68
SHA256

6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d
SHA512

df8302a4c42c11688226bd78ce23cd5df1596607dddbcafd81d9b87060df29e508a960b6ba1904c52b415760330c5e368da7bb0d87f0657b6121ba4d92003c8d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfQI:hDXWipuE+K3/SSHgxmfT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM8240.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMD8EB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM2F77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM85F4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMDC32.exe

Executes dropped EXE 6 IoCs

pid	Process
1640	DEM8240.exe
2432	DEMD8EB.exe
4932	DEM2F77.exe
2212	DEM85F4.exe
1596	DEMDC32.exe
3356	DEM32BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD8EB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2F77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM85F4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDC32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8240.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1640	1064	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	96
PID 1064 wrote to memory of 1640	1064	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	96
PID 1064 wrote to memory of 1640	1064	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	96
PID 1640 wrote to memory of 2432	1640	DEM8240.exe	101
PID 1640 wrote to memory of 2432	1640	DEM8240.exe	101
PID 1640 wrote to memory of 2432	1640	DEM8240.exe	101
PID 2432 wrote to memory of 4932	2432	DEMD8EB.exe	105
PID 2432 wrote to memory of 4932	2432	DEMD8EB.exe	105
PID 2432 wrote to memory of 4932	2432	DEMD8EB.exe	105
PID 4932 wrote to memory of 2212	4932	DEM2F77.exe	107
PID 4932 wrote to memory of 2212	4932	DEM2F77.exe	107
PID 4932 wrote to memory of 2212	4932	DEM2F77.exe	107
PID 2212 wrote to memory of 1596	2212	DEM85F4.exe	117
PID 2212 wrote to memory of 1596	2212	DEM85F4.exe	117
PID 2212 wrote to memory of 1596	2212	DEM85F4.exe	117
PID 1596 wrote to memory of 3356	1596	DEMDC32.exe	122
PID 1596 wrote to memory of 3356	1596	DEMDC32.exe	122
PID 1596 wrote to memory of 3356	1596	DEMDC32.exe	122

C:\Users\Admin\AppData\Local\Temp\6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
"C:\Users\Admin\AppData\Local\Temp\6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\DEM8240.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8240.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\DEMD8EB.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD8EB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\DEM2F77.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2F77.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\DEM85F4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM85F4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\DEMDC32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDC32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\DEM32BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM32BE.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2F77.exe

Filesize
15KB

MD5
397c6a0e0c541ad87dc36932db445ea1

SHA1
c212597d7a5c806a70933c5b5da557708b1de5a4

SHA256
592e420ab8108d1da0c015b40d25d288275d7824cd8138a5b2270a14da69e09a

SHA512
45b246c88535acc8e61bbf0e1ec20f0aa8ea5dec847b044b343f462bf5e81c51e40799faa2fe44cf83745efebd96a3aa257aeee7aa81e7a3be19a7fcd7e67fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM32BE.exe

Filesize
15KB

MD5
a4d6144f55e2185d3fa7b86b400285ce

SHA1
a5931e019c4dab396615ed5e4fb97ab4aa8f4ae6

SHA256
90056a94d0b2aff1b24ba750f6bcb9b1a37a05825a52a18496da88ff7c55d024

SHA512
0c983cabec75addcc5c1f5af469278847b838a480e8b5cccf1b961d51c6bce7062ea00e71c1a795025c257691672895a0d97265ffd0bfa58808d039b416fd479

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8240.exe

Filesize
14KB

MD5
1056a585c89693a41ee3070fdb0cf66d

SHA1
a36c4ae2363d9d414119b6c726e087c94d5b003f

SHA256
b1d77747659911ce538524754d035137990c2480afb3fa4ab46a536392c36ab2

SHA512
747fa186de1433ecdb4135beee3c80046706572d98e26e3f149f978a668f43e2c1959440bddafe262db9510ee6aa8c9eb9e559460c5f04648825da60bba9025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM85F4.exe

Filesize
15KB

MD5
090502d1365a0b7cbd5736c1e26f378f

SHA1
d5b1706112cbbb8829a616b5cee13be01fa93209

SHA256
70727e10cc391f22fba57c17659bd648e5b7903f48bc96e750b89dfb16d9912e

SHA512
0278c41114faf9559fe0b11922266a45746fe8adb470d3eabb2aaba3e1e8b3d3f3de89dcd7687e93b800d85e99c74e029c0427f1a4976eab814d56c83f77786c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD8EB.exe

Filesize
15KB

MD5
f854b72f660f9f073b8e105b98a38c85

SHA1
d7481039e596d4b778bd41daca3917514c5c637d

SHA256
de20e5b5a0dea5689ce25f3314b6e5b78889a819baec44557ca938a3ed6c23cc

SHA512
4cd0caa0ae61c1326e543f18df95b93616e27828803c5add91289731bd82cf2c03a07f476093f3dd88cc81d035b105b6b1dd999e34e98d4b70682391d744afc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDC32.exe

Filesize
15KB

MD5
3ccd91f8d2efe9ade4e935f9151826fe

SHA1
594e9430a396fbc6e112504923d0f4ad31b323a1

SHA256
399964d257ffadc58ff9b385bbb703e09507fed998da7b55c44eb2d0c3c4794a

SHA512
c5a14ea2b1956b37823fb3cb2c00c266db3401490ec905d3da36d313fe2ea5470bbc8453c57ede13bff09285b88dd2d87b75f0c571c55637cab157af80ed9e2d

Download Submit

Analysis

Sharing