b8a535c89149e8c8d8de6a246b4d849ce0b9148e119e72e7ebb9df432468f3c4

General

Target

7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe
Size

15KB
MD5

2c7432d3739a0980a3b2e409561ae51a
SHA1

e0fdec47b1931d0f415900137898b10dad0806e4
SHA256

7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed
SHA512

734ab3c64bd23824ef35b4458d77dfa23691f836aa506ed5198dd89f831c977b0c51cc1fc034ab2828b661968045f3310aa7082a4ccd4c5481fcb96f037e0f66
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYLNo:hDXWipuE+K3/SSHgxmL2

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMB47B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMA6B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM607A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMB6D8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM5E1E.exe

Executes dropped EXE 6 IoCs

pid	Process
4992	DEM5E1E.exe
4356	DEMB47B.exe
2328	DEMA6B.exe
1636	DEM607A.exe
2628	DEMB6D8.exe
3580	DEMC99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5E1E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB47B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA6B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM607A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB6D8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4992	4032	7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe	96
PID 4032 wrote to memory of 4992	4032	7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe	96
PID 4032 wrote to memory of 4992	4032	7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe	96
PID 4992 wrote to memory of 4356	4992	DEM5E1E.exe	101
PID 4992 wrote to memory of 4356	4992	DEM5E1E.exe	101
PID 4992 wrote to memory of 4356	4992	DEM5E1E.exe	101
PID 4356 wrote to memory of 2328	4356	DEMB47B.exe	103
PID 4356 wrote to memory of 2328	4356	DEMB47B.exe	103
PID 4356 wrote to memory of 2328	4356	DEMB47B.exe	103
PID 2328 wrote to memory of 1636	2328	DEMA6B.exe	106
PID 2328 wrote to memory of 1636	2328	DEMA6B.exe	106
PID 2328 wrote to memory of 1636	2328	DEMA6B.exe	106
PID 1636 wrote to memory of 2628	1636	DEM607A.exe	115
PID 1636 wrote to memory of 2628	1636	DEM607A.exe	115
PID 1636 wrote to memory of 2628	1636	DEM607A.exe	115
PID 2628 wrote to memory of 3580	2628	DEMB6D8.exe	117
PID 2628 wrote to memory of 3580	2628	DEMB6D8.exe	117
PID 2628 wrote to memory of 3580	2628	DEMB6D8.exe	117

C:\Users\Admin\AppData\Local\Temp\7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe
"C:\Users\Admin\AppData\Local\Temp\7a136886a9389f2e077e67f6860d77084ba06826f1ae04772be420fabb3603ed.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\DEM5E1E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5E1E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\DEMB47B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB47B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\DEMA6B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA6B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\DEM607A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM607A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\DEMC99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC99.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5E1E.exe

Filesize
15KB

MD5
f6c72882cd254df6af83a3d94bc7c394

SHA1
11298017b90ea1b3462bcf1d554358971c87bb6c

SHA256
17aa1438ebac008ad379a854f5de228d8e4b8301ea06f6ca629ce9e8f9fc948e

SHA512
bdd0d6b579a348984016776009efdf335f94a0b4e4340f92e9e016e5d086d2c9661c2d13d339008e81a9a5b5d0450ce29e1bc60f6fe8c39d8652946dbce91790

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM607A.exe

Filesize
15KB

MD5
1a56384e614ed1591faead61550a9cde

SHA1
5117793fa0db7fc05bbc7f8d0e03f5d91bf7dd69

SHA256
302bc4feed73d5f21b0a3a7f7b4cb3c86e37388a2e5c3b0a828c75340c025c99

SHA512
077a72b89d3e43cc8ed65792c4ae81372a6cca8e61b441d4f796d85d87cd593dde074f36079e629a677fb06ed5b82b4fe2a9d92ede531df6b7fd64ba0cef4b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA6B.exe

Filesize
15KB

MD5
391fbc5653663db123fc89c5cdf91a71

SHA1
54395a8c9fbbc806aa2326988b428cdeba6508f1

SHA256
dcaa10b72d9ddeda628fa5720c4200a447683e1615aa307a2bbee09ae85b9943

SHA512
616a71cfe6c3c7c08f421ef13b93fbacf09ebbdbc7e9bf66ab5846a7473081d980a73ef785378ef6fa1d51e1f9f11e5dc143d469b8ac15d57b21f7ac555bf067

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB47B.exe

Filesize
15KB

MD5
59c060aa9511b624d12d70858e966df2

SHA1
9a57abdaf3dd319b077018691edc9ea3a23b20cc

SHA256
d30e315692fb15cfd78b6d49e93f5282d248386ba41b4bd03da6b07b1de7fe86

SHA512
829b71bc4b3c613342e8a7b0cca039206b8e08da45fae8d20908dfe68968909488533feb211a2b40365799c1a2f766a643e16087ee52359cb0241047a0fcbe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe

Filesize
15KB

MD5
fdc50d561a7300d2a9df1f1288c6e459

SHA1
d89ae45794ae08e5bd4a21c1bbc4f8a31ffbc4f7

SHA256
481f3dfdbada4e503c020b8578ffb5d469ff3850d245dfb508048e82086b6a1d

SHA512
b071b6a5452af0280a83ddb2e89187572de069972a25f60636a66ce4bf4b0a2a8ee0cd417cfc162e8b7d5fe4b8e386dd6b668d44f9c839c7c3bd48e2c8e4c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC99.exe

Filesize
15KB

MD5
9535bb550b98cbea1dcd4268403a9ec7

SHA1
c24fd503e8f311775f1e10054455674ce6ffb9f9

SHA256
4269c0b677e5de8c5038f08ea63c278ff3750b1ab30b9e23c4ac95c2013081dc

SHA512
175ecd7c3952b6b7e294123df157ed23902194e7971d5522ef57a531e7887e462ac5c47446aaa9dc32b53cb237556206668e3da938944e4dae193fd8f11fcc2d

Download Submit

Analysis

Sharing