5fcfb6fde353c2ab6162b6a8bfa031406b84a931a33b050d4cea02064cf18b21

General

Target

1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
Size

15KB
MD5

7882288d4d55b9ef88e18a8e4eaae9fa
SHA1

15896423031607b8631e0ae77f02766cc8741577
SHA256

1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b
SHA512

0e4ef0e0a03ea741f52f549a6b329017df12c7bcde5de41af3dad8a2d71edf50dfd65b7e154d7598c618e83027471d8787ce89126fa1cd51642bc91f53390b34
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwCgr:hDXWipuE+K3/SSHgx/wCU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM6BC5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMC1D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM1870.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEMBEBC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DEM1567.exe

Executes dropped EXE 6 IoCs

pid	Process
3392	DEMBEBC.exe
4080	DEM1567.exe
4064	DEM6BC5.exe
4368	DEMC1D4.exe
452	DEM1870.exe
624	DEM6E41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBEBC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6BC5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC1D4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1870.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E41.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3392	2292	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	95
PID 2292 wrote to memory of 3392	2292	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	95
PID 2292 wrote to memory of 3392	2292	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	95
PID 3392 wrote to memory of 4080	3392	DEMBEBC.exe	99
PID 3392 wrote to memory of 4080	3392	DEMBEBC.exe	99
PID 3392 wrote to memory of 4080	3392	DEMBEBC.exe	99
PID 4080 wrote to memory of 4064	4080	DEM1567.exe	101
PID 4080 wrote to memory of 4064	4080	DEM1567.exe	101
PID 4080 wrote to memory of 4064	4080	DEM1567.exe	101
PID 4064 wrote to memory of 4368	4064	DEM6BC5.exe	103
PID 4064 wrote to memory of 4368	4064	DEM6BC5.exe	103
PID 4064 wrote to memory of 4368	4064	DEM6BC5.exe	103
PID 4368 wrote to memory of 452	4368	DEMC1D4.exe	105
PID 4368 wrote to memory of 452	4368	DEMC1D4.exe	105
PID 4368 wrote to memory of 452	4368	DEMC1D4.exe	105
PID 452 wrote to memory of 624	452	DEM1870.exe	107
PID 452 wrote to memory of 624	452	DEM1870.exe	107
PID 452 wrote to memory of 624	452	DEM1870.exe	107

C:\Users\Admin\AppData\Local\Temp\1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
"C:\Users\Admin\AppData\Local\Temp\1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\DEMBEBC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBEBC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\DEM1567.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1567.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\DEM6BC5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6BC5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\DEMC1D4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC1D4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\DEM1870.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1870.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\DEM6E41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6E41.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1567.exe

Filesize
15KB

MD5
2ab1079e737f61805e9e9d232500d39a

SHA1
0bf324f4ad3b1179f5918737428599d007031738

SHA256
d1abe51911f8273c7d7c12cda9ef30fceeda8068b0568fe1e6dfdd4af1981bd0

SHA512
ac2f3ab95f2d0109cdfcb1cb4e4a92d8eef61d33477a37e40e30903fd0169b8b51e365f90bf80984eac8fa0b29166eab2b1847f20cf9449e9ea3183621230034

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1870.exe

Filesize
15KB

MD5
336f5720c30e8cb0d6b97ebadd8c5d5c

SHA1
6a69ff48620f8eadbdd1942da8f3586499681eee

SHA256
b7c44119b8e39dd3f6eaffbf57924c5a34a220b247f2463e38c6cc45314cb5b5

SHA512
a103ebf2e5d6a3cd0d43b93fcc13ae9106cec1f0d41a08c3294b205f8e740c8a1bbc60ada793014d9e5222c184b91331e503d7c4027c593b45f0f7a4da2c5c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6BC5.exe

Filesize
15KB

MD5
fccd6e10fc62421ff3bef93873a76ddd

SHA1
35d5fb19720e3633660ee107fcd28ab96ff569c1

SHA256
628ca72f45994930d1d0d5b9e8dfdbb0d150738799262e9168a574cd8eaf6f33

SHA512
69065faac7b18328070803e097e07c41742fded00a2fc223609973691931d062fcf2a34b32c545c503f123a513ca9179b891b019cdb1d65b96e9c48253f43457

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E41.exe

Filesize
15KB

MD5
3c833e537580460b451b4f5dcb9bab48

SHA1
cd6b033ca7b160b0e53ac629703d2db5d82c7620

SHA256
8ffdd9a9e50e80357d8ffd5451eaced02dba281a98b1669168e498f1af3c6144

SHA512
f5e2b531d10cb22c89073374613e8c44cc1d21765a95260e6ef163a6d37cef40976958feace2a18218cb6a68215d121b82f810ee026b96d8bf069a4e6ff78d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBEBC.exe

Filesize
15KB

MD5
216eb2f86b6c5da240736bc6198cd775

SHA1
8f16a000b8656d15a6526e394fea11b36abcfbc5

SHA256
00a974a9e45ff7dab45aebf7ae059213497e07f52853088b3da7e2e7613d5df9

SHA512
144bf2052c6f6e905d996efd213f9d8a4f611d0814f913f420da4b4f7c7e21b3845b7ff2cedaefe4c6b0a8fc40ca9c8af143a1d8522f7414ef613c478fbd77a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC1D4.exe

Filesize
15KB

MD5
f93edebae586297bf9c9bd331405c86f

SHA1
c6c80d0f18e3c2d267fdc99859855173984df21b

SHA256
76985403a5697b0febb6193e9c91ebe40d3bdc3bafe4653547090aded18967e1

SHA512
e9a053ceacec23eed1b4081ba9dac42b9f46f861e40c37182ec907996631b56648a4bc2a94dc7da43e15af3590c5d2fe6397159c336ee73c86b34889ecc531f8

Download Submit

Analysis

Sharing