c548fce4988535a63951bbb50b32ec4ed43ce6b148b281711b30172455f22ee3

General

Target

9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
Size

14KB
MD5

ec1f2785283bff449a44f590c6086ac4
SHA1

2d8724f981e87eea644b3e9199dd5a55f43ee35f
SHA256

9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193
SHA512

dee709041c9c19b791d0fcfa56dbddd6e311979f8c54a060985d528dfa5dc2661a45e445e8f529fb21f054766f2a661d1e49877c12434fe1acd17a964eca451b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfQw:hDXWipuE+K3/SSHgxmf7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM2E8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM84AC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMDACB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM81A3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMD86E.exe

Executes dropped EXE 6 IoCs

pid	Process
864	DEM81A3.exe
4540	DEMD86E.exe
2116	DEM2E8D.exe
1708	DEM84AC.exe
4312	DEMDACB.exe
4252	DEM3128.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2E8D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM84AC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDACB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3128.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM81A3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD86E.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 864	5076	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	96
PID 5076 wrote to memory of 864	5076	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	96
PID 5076 wrote to memory of 864	5076	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	96
PID 864 wrote to memory of 4540	864	DEM81A3.exe	101
PID 864 wrote to memory of 4540	864	DEM81A3.exe	101
PID 864 wrote to memory of 4540	864	DEM81A3.exe	101
PID 4540 wrote to memory of 2116	4540	DEMD86E.exe	103
PID 4540 wrote to memory of 2116	4540	DEMD86E.exe	103
PID 4540 wrote to memory of 2116	4540	DEMD86E.exe	103
PID 2116 wrote to memory of 1708	2116	DEM2E8D.exe	106
PID 2116 wrote to memory of 1708	2116	DEM2E8D.exe	106
PID 2116 wrote to memory of 1708	2116	DEM2E8D.exe	106
PID 1708 wrote to memory of 4312	1708	DEM84AC.exe	112
PID 1708 wrote to memory of 4312	1708	DEM84AC.exe	112
PID 1708 wrote to memory of 4312	1708	DEM84AC.exe	112
PID 4312 wrote to memory of 4252	4312	DEMDACB.exe	114
PID 4312 wrote to memory of 4252	4312	DEMDACB.exe	114
PID 4312 wrote to memory of 4252	4312	DEMDACB.exe	114

C:\Users\Admin\AppData\Local\Temp\9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
"C:\Users\Admin\AppData\Local\Temp\9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\DEM81A3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM81A3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\DEMD86E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD86E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\DEM2E8D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2E8D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\DEM84AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM84AC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Users\Admin\AppData\Local\Temp\DEMDACB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDACB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\DEM3128.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3128.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2E8D.exe

Filesize
14KB

MD5
1a84249df6512ef4ba249201d70ededd

SHA1
a2980819b18941c070cbe63c8cdaa948c8cca91c

SHA256
3e0189b93e2af27ecfe20010983510f2797282935a1d90a0980d67b7658c39d9

SHA512
1eed18fbf7b8e52d650ed153c47577e99d525ca68ace79d0fddb7f0577daa2944f3742cd62f58ddd7ce41aa7fcfe8f91eafa868ebafc8136bbaad87e98327ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3128.exe

Filesize
15KB

MD5
7031063ad93f7bb855e9806cb3b9899b

SHA1
8a03474c3caa045a07d36ccdf187e3ce754f6997

SHA256
b6a8813a81c50bf86f3347cc0b3f1058d2a9bfde94c56a99971c8a3d663998a8

SHA512
038eae6fdf161386243d293e5b90f93fd901ecb53b1ed43f461aca4b6107b0b9ad018208959055d7b178f48676f84927962c85636d92030f631121830d7a4544

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81A3.exe

Filesize
14KB

MD5
8eb812d6a662f67d33b23838e5ab20c4

SHA1
5c4c53fb25159ffc75d48d6fe8456c745a490a78

SHA256
06c3457aa66eb7d379966541a12c61a558a9e481e2387cd2d174116879f03d40

SHA512
efb598b4a82f00bfbe9f22a7de707df82284fbbe3bdf36672b987261f068a7a7069afbcd4647567954c65a6512798fd79759db06bb747b419c62580e34e14111

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM84AC.exe

Filesize
14KB

MD5
7bebe1c3580c2dced832680a64e78bb8

SHA1
1b3cc20cd58afd457bfcf899e2e1c131a0e79b6d

SHA256
418597e42ebbe8077d08f3e8c3dbe9c9386243b23d5a91b0556f94624f8b5f06

SHA512
c0cad31e1ed6616c80b7338170f72c595c9f58ec5654f84dfea82906772f4554242c4eee4a3874a5bd9e5b230309be61b0c487485b1217f33654fade24e783ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD86E.exe

Filesize
14KB

MD5
a9988bfe018a20aa10af376e83c417fb

SHA1
14068020b1f5c0694bc345622d4922233d3871cc

SHA256
41b74b3383027ba4c9abb54ad7964b051f99ee57bc357fa5a675bd3739cb9212

SHA512
65af2df54b7b6679c258396c22d747400cbe8e7514aa121cc1a5ca614362d74cb49d51dde9e8300d89d09562ebfe17b26f7dfd48224a9ddf6b088966f6d937b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDACB.exe

Filesize
14KB

MD5
8f49605a0d80559209aac436314a50b4

SHA1
187da8cc9f060e48287e8ea5e4badaa000b65074

SHA256
0648fa18cc8de40a23defa516d4b7ee4ffa56c694c6a90684bcc20eca4859055

SHA512
0c6b30c087c17ce03a94c440f256629afa23ad43a434e2495f98ea0e244aa25cc31f6c602c3c8df6f1bcf2ddef491331628bc6823d2f05ecd00e3c58c270bd3d

Download Submit

Analysis

Sharing