3bdc1fce83d49a1be11ff043b55066b4290da043f2b637df80da90b6adc8bcef

General

Target

8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
Size

16KB
MD5

7d2def95f853a3231c82ff4a024441ad
SHA1

842ae1745cacae836e52ceba38e95153d75f6608
SHA256

8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9
SHA512

7855865aad9c641fe415a975c605853d39f652d238a62174ced7601462a76e180553806d1ec1835eae90bf72b1a39a659cbc67e7893f133fcd2e9a6f955e75c6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlK:hDXWipuE+K3/SSHgxmlK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMC9E7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM2006.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM7654.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEMCC73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DEM73B9.exe

Executes dropped EXE 6 IoCs

pid	Process
3732	DEM73B9.exe
1012	DEMC9E7.exe
1412	DEM2006.exe
5000	DEM7654.exe
4376	DEMCC73.exe
4060	DEM2292.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM73B9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC9E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2006.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7654.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCC73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2292.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3732	2420	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	95
PID 2420 wrote to memory of 3732	2420	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	95
PID 2420 wrote to memory of 3732	2420	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	95
PID 3732 wrote to memory of 1012	3732	DEM73B9.exe	99
PID 3732 wrote to memory of 1012	3732	DEM73B9.exe	99
PID 3732 wrote to memory of 1012	3732	DEM73B9.exe	99
PID 1012 wrote to memory of 1412	1012	DEMC9E7.exe	101
PID 1012 wrote to memory of 1412	1012	DEMC9E7.exe	101
PID 1012 wrote to memory of 1412	1012	DEMC9E7.exe	101
PID 1412 wrote to memory of 5000	1412	DEM2006.exe	103
PID 1412 wrote to memory of 5000	1412	DEM2006.exe	103
PID 1412 wrote to memory of 5000	1412	DEM2006.exe	103
PID 5000 wrote to memory of 4376	5000	DEM7654.exe	105
PID 5000 wrote to memory of 4376	5000	DEM7654.exe	105
PID 5000 wrote to memory of 4376	5000	DEM7654.exe	105
PID 4376 wrote to memory of 4060	4376	DEMCC73.exe	107
PID 4376 wrote to memory of 4060	4376	DEMCC73.exe	107
PID 4376 wrote to memory of 4060	4376	DEMCC73.exe	107

C:\Users\Admin\AppData\Local\Temp\8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
"C:\Users\Admin\AppData\Local\Temp\8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\DEM73B9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM73B9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\DEMC9E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC9E7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\DEM2006.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2006.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\DEM7654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7654.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\DEMCC73.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCC73.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\DEM2292.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2292.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2006.exe

Filesize
16KB

MD5
7c5c856a7425d58d272a220f482df99a

SHA1
999dc5e9ac1eb1dca65ad1eee31af259e1abeed0

SHA256
36198c2689c8ef1a8658610496ac765d6816ce92f34a39e3662e675dbd69fe23

SHA512
3d7e44012c116d35e9732f75d806f723004dcac9578c9625bd1597d1dd0e33d70eeed4177d095c19f7cbf9bf6c9a46bf26623ec2e6f1a442baa2cea1ac6bcb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2292.exe

Filesize
16KB

MD5
ca55ed9e3a378b55e2ccde8635cf29ef

SHA1
5cf2b17847d60c4f7a5fe7038b4d692cac25e774

SHA256
9cdd5332042b76d8cd1333075d995fdf1e99aaf30ca8ac80c7a464f5a9a881dd

SHA512
dbbc45d53af4481851962ae262de87a614a8e1942d96fca75ba22f80fdadf25cab5c85c824aff2f92029b931cef7a90259c2e4ef91aff35bf3edd462ecb81060

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM73B9.exe

Filesize
16KB

MD5
04c562ded71fc4411aa626511e4ecd47

SHA1
e07a699e73b2b02a2f4cf3250d5a70b57bdc5a48

SHA256
5f1132c7c281262dc7a5dd16a37a750975b6451e1f6554c4cdc88e47b3225dc7

SHA512
b924ea676df493e74e1ce14670a7c34efd0891f317cdcfb8022747217cd6942f06a301455933eea5cb6fd3bdae7192bc4aebe55a2b02fe27af86ab73e5ac3f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7654.exe

Filesize
16KB

MD5
7e00d3df21590e523113160bffe73895

SHA1
784753de71486c7345bbc3447cc9a6948174d72d

SHA256
05bc461df97ba169482cb0ce7f5b0290866c212b8fd444592ae0e6c2d73eaa74

SHA512
d7d1afd1a3f6acf998875ab87f6943b60ad7885166d3ac6fbbeb76b5be61a5971147066230f911d0096b2d93563e23043b6e2640c61906886c6d91f010305f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC9E7.exe

Filesize
16KB

MD5
0e1602bd1c20b167b212d775c2ebebec

SHA1
76d1a06546012eb0cd2e1fc8689407cca14b7206

SHA256
656d2290ea816022c74f721b1cff6a67334c91d84ff2590126f6b755ef0ea6ea

SHA512
625facaf7f50933b393ad44f9845e29115f3d46a44c094f6fc1e7a74bf2ed4f3b09e252a263942b6384a19578d4884227391dc3e649f597dcd6ae1656a2166c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCC73.exe

Filesize
16KB

MD5
8de462f87b74fb9e2a5efedccf001688

SHA1
d40682709b3f00c8e353a8a8c7a29c7bbf0d308d

SHA256
94fc2997f07a5cce8fa5a0a97b23897a448ced33e7bea227a3a0243f974ea246

SHA512
c6e57a73271e63d5caf5a57ab024845816973be57eb9fd3ff253353f0956073891e719177c7bdc7610e05feb9123b6820b17a2a6ef1da2608c58fae6332cc3e5

Download Submit

Analysis

Sharing