b1a142d7b164528eedaf21ce7a867b713b72c2ed6c2147bbbe37bbe209ec2fcd

General

Target

a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
Size

15KB
MD5

a32f79193610e3b9d191a3b777e67354
SHA1

e28835a34ece1c61628561057e02de1905ef011c
SHA256

a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d
SHA512

31dc2494ce5127674f7e8ad475e021eaf388565da116f3b4834807592fc59c386daa821bb091bcf40b5596a06a2876a4c0632980a1a940480eac25d33f80df19
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/vP:hDXWipuE+K3/SSHgx//vP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM16DE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM6CFD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMC31C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEM6A33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	DEMC0DF.exe

Executes dropped EXE 6 IoCs

pid	Process
876	DEM6A33.exe
4700	DEMC0DF.exe
5096	DEM16DE.exe
700	DEM6CFD.exe
1392	DEMC31C.exe
1536	DEM195A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM16DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6CFD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC31C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM195A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6A33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC0DF.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 876	2360	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	95
PID 2360 wrote to memory of 876	2360	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	95
PID 2360 wrote to memory of 876	2360	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	95
PID 876 wrote to memory of 4700	876	DEM6A33.exe	99
PID 876 wrote to memory of 4700	876	DEM6A33.exe	99
PID 876 wrote to memory of 4700	876	DEM6A33.exe	99
PID 4700 wrote to memory of 5096	4700	DEMC0DF.exe	101
PID 4700 wrote to memory of 5096	4700	DEMC0DF.exe	101
PID 4700 wrote to memory of 5096	4700	DEMC0DF.exe	101
PID 5096 wrote to memory of 700	5096	DEM16DE.exe	103
PID 5096 wrote to memory of 700	5096	DEM16DE.exe	103
PID 5096 wrote to memory of 700	5096	DEM16DE.exe	103
PID 700 wrote to memory of 1392	700	DEM6CFD.exe	105
PID 700 wrote to memory of 1392	700	DEM6CFD.exe	105
PID 700 wrote to memory of 1392	700	DEM6CFD.exe	105
PID 1392 wrote to memory of 1536	1392	DEMC31C.exe	107
PID 1392 wrote to memory of 1536	1392	DEMC31C.exe	107
PID 1392 wrote to memory of 1536	1392	DEMC31C.exe	107

C:\Users\Admin\AppData\Local\Temp\a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
"C:\Users\Admin\AppData\Local\Temp\a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\DEM6A33.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6A33.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\DEMC0DF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC0DF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\DEM16DE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM16DE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\DEM6CFD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6CFD.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\DEM195A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM195A.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM16DE.exe

Filesize
15KB

MD5
ff8efd6aa81af4f868852e763cd0b7b4

SHA1
ca5ca8c58204cb847136bc2cd0aa4923dffa1d83

SHA256
77e3cafb4bb28751c1f6955225d5e1dd8ff69bbcdd0c865ddac8de7454dcc44f

SHA512
3e4694aac86f56f9367696a2194ec5fb23c0ea7723ffd5e0a621be28b3d45d6c3ee7e49411616ccb4be5926effa6d64418c0a8df1078024124fee42b293e82a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM195A.exe

Filesize
16KB

MD5
047b937682b047d3ed4ddb0ac0a0621c

SHA1
33781542d56d6005c96652e6015d3102cf3034f5

SHA256
cc98d540a36e1a2fbd73cbaa95d3901b219f9d9e95a4bc0d0fe2af0c212f6423

SHA512
c68000ef191f17a800555c5ba5c7259313c40452e64fe2f8b29ac810704fb4ca1865c6141643429b75cef8fc6b3eb2add1aeadbead376b90e09657f78fcf7bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6A33.exe

Filesize
15KB

MD5
2aa8a59b6eccb9a66b8ec3f34d054b3c

SHA1
8346b84e38ff1b99f4fdd0f4082916e8fae53133

SHA256
d4eaac96f12491122d5110106578f5044d2a252d78771eb1e12958b03f4a71a7

SHA512
e47e7973eb8fc36e3fa44ba29c0cc2422c2a4041bdbdddcb037db756f46f053c7fddafeba1f24e289d6dd67126f8e92c64907eb07a515388caf1fc3a7144616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6CFD.exe

Filesize
15KB

MD5
92038818c2ac7be0376c2d11c1ae4f40

SHA1
6773ec5a0a7a87295e046cb42b951eb4bdf037e0

SHA256
6eb1d3de2b7a801dcf26fb67c82ace743dce03cc7ccee9f44ac50b759a8cb1c6

SHA512
521e6e4c7cfbced61cdd847a0fecbb64c7ace1baede45f4a0497d0f3f77bfe821d6646e5fd382197058e140f26ff5dea56f127ba89d508d6c4fb4eb25df24235

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0DF.exe

Filesize
15KB

MD5
cbe17632a8fa27904a8454cf4e2711d4

SHA1
4eda236cd0e35b1ed5e909076fceff0ea66d523a

SHA256
800fdb75ed6d033698cd6c9ddbbba4014d9745f092b11f9dbc20a3cbdc97fa13

SHA512
4d03c834e5c50d5e5b2879c120f5301b2da7acee695d050c27efc963b92b319f15056587054f5f6e9a68f7aba8bf60033595461374becab2f0bbee7e59b139f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC31C.exe

Filesize
15KB

MD5
a6c9469ca885cd43d15eb288686e306e

SHA1
e19bbd884bf49e0c53d10750caa8932292f34b6a

SHA256
72db5f1affd9e5562fb419599e8651bd95e90e4330ca5638aeaa8698fb5481d3

SHA512
16ef0141f90cce6781944d0aff9613fc944475201291baa25c278d452ce3e9332e93e23caa6fb14125178595c67095499a9d7463678528175060a91124868a22

Download Submit

Analysis

Sharing