61e3ddd38d6b6f9e6415589e268d2f8218f89e4814589e38ab776bc5492c8af4

General

Target

daef9ce0d9d1d1e65bb642e8612816c0N.exe
Size

15KB
MD5

daef9ce0d9d1d1e65bb642e8612816c0
SHA1

a965ed4e91d531dbd9914e83d12209ed3a0ce002
SHA256

61e3ddd38d6b6f9e6415589e268d2f8218f89e4814589e38ab776bc5492c8af4
SHA512

eb554a7e73f67c94e5d51820813baea7c8c24850de533f75541279df88e3df88f7732e7a304e884e16d26e93478962cb2ad70967433efabbb19b3626779465a4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYls:hDXWipuE+K3/SSHgxmls

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMFC32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM5261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMA860.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	daef9ce0d9d1d1e65bb642e8612816c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEMA5E5.exe

Executes dropped EXE 5 IoCs

pid	Process
3080	DEMA5E5.exe
4580	DEMFC32.exe
1360	DEM5261.exe
4296	DEMA860.exe
4452	DEMFE41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daef9ce0d9d1d1e65bb642e8612816c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA5E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFC32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE41.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3080	4544	daef9ce0d9d1d1e65bb642e8612816c0N.exe	96
PID 4544 wrote to memory of 3080	4544	daef9ce0d9d1d1e65bb642e8612816c0N.exe	96
PID 4544 wrote to memory of 3080	4544	daef9ce0d9d1d1e65bb642e8612816c0N.exe	96
PID 3080 wrote to memory of 4580	3080	DEMA5E5.exe	100
PID 3080 wrote to memory of 4580	3080	DEMA5E5.exe	100
PID 3080 wrote to memory of 4580	3080	DEMA5E5.exe	100
PID 4580 wrote to memory of 1360	4580	DEMFC32.exe	102
PID 4580 wrote to memory of 1360	4580	DEMFC32.exe	102
PID 4580 wrote to memory of 1360	4580	DEMFC32.exe	102
PID 1360 wrote to memory of 4296	1360	DEM5261.exe	104
PID 1360 wrote to memory of 4296	1360	DEM5261.exe	104
PID 1360 wrote to memory of 4296	1360	DEM5261.exe	104
PID 4296 wrote to memory of 4452	4296	DEMA860.exe	106
PID 4296 wrote to memory of 4452	4296	DEMA860.exe	106
PID 4296 wrote to memory of 4452	4296	DEMA860.exe	106

C:\Users\Admin\AppData\Local\Temp\daef9ce0d9d1d1e65bb642e8612816c0N.exe
"C:\Users\Admin\AppData\Local\Temp\daef9ce0d9d1d1e65bb642e8612816c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\DEMA5E5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA5E5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\DEMFC32.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMFC32.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\DEM5261.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5261.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\DEMA860.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA860.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\DEMFE41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE41.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5261.exe

Filesize
15KB

MD5
d0fc515b62b57ea2e1ad449c32495d39

SHA1
54bd9f0c8b5f2d6bcf136ba17d9c1491d86d912c

SHA256
bb9e5d254de7fb772bd269fd427fa64121c07998f12e0911ca739c695b4034f3

SHA512
8e86bd9843971d3f08711b32814ec32d1b44a0070ec7f3e6e2b5a9a0bfa8b3f2d3260e6c4b9c3281d20a9b8e5fe18f209455d1331a3bea39acef9d2dbd3efe4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA5E5.exe

Filesize
15KB

MD5
a721bb33fd7939487d85f176d5b9c8b4

SHA1
70233bf31c6aec346edcbcbedf3b69bac83d21a9

SHA256
01174981396acc529ce2b2e10085b73490f70ca27a6cd8823ccf86a0fc48dd36

SHA512
a2a17c62ec74984ba62cefc0dd3ebda6b8b49f0516bc8bf072bfb51388245dce12bb5e7f8b11ae1cb1d7e2121f9ad95b490686e0c06065b8a6c459aad0ac9162

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA860.exe

Filesize
15KB

MD5
2e7a2348cd8df56708b432f5edf25ae1

SHA1
5f4840b137598aafde7d330eba9cc4035d3ed1d7

SHA256
697441cac8baa7b808d4d6d5aef48094125954c13ecd9e524ef3554a1def6016

SHA512
c19ae01fcbb9b7cf7d406e1b83986be076defe479941a62fc7773d341f4b0e2124716682c39eb02a0a1c77237af7a2d698e35e7670e7f84a487060ce2a50028c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFC32.exe

Filesize
15KB

MD5
a4727968086ba3f829b5efa0c4acd2de

SHA1
0ec4e9f310505ea75d5c45d6ea007c5af68472d4

SHA256
b5538ec5bbb32b61019108218a91572869d66362498b9c0a988b12fa358338a4

SHA512
aa3a46aba2cb3f0dacab5e3b948f3d94cb3ec89ac0a4400dbeca97d8e9a4e8eae52dbde285c892405196f817adfe150a0fd44c84b71d5015bcee6c19ca1e7a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE41.exe

Filesize
15KB

MD5
107251298ce753f3f6843734a033c41d

SHA1
d17d1b9e5e9377f08ec08e29798c505ef3f6de19

SHA256
007be9c85435dba8d092d97da0e28e2fac0cbc3351b572a3fe9978b4b8c0914f

SHA512
f5dcd5da6b12d834032a42885f9f19ddaaca1ea2decdb0999171ae2e885995be1001871e891117dc7f847e7ea84f2677f9a82d37101165eefa0272ae5cc94749

Download Submit

Analysis

Sharing