193f5d859c69b65babbf2b4e38b078632c38943aa64c5ce9b8e25bdb1b8742e4

General

Target

1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
Size

13KB
MD5

baf0690f5e83cdda90259d99be123ec4
SHA1

87ac210437e66262017586df412a5c523107a4d8
SHA256

1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590
SHA512

6b753f7cba1dae7a0ef4f6f1781cdbe7250e29466333d5b509eef16d46c05851d8aa6c608e25dbe9b2c681bdd233d0682fdc3fabd8a94221ac37174c557c737b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhLZ:hDXWipuE+K3/SSHgxD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM62CC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMB929.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEM5FD3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMB650.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DEMC8E.exe

Executes dropped EXE 6 IoCs

pid	Process
4392	DEM5FD3.exe
1532	DEMB650.exe
1020	DEMC8E.exe
4960	DEM62CC.exe
1588	DEMB929.exe
440	DEMF77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5FD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC8E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM62CC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4392	5020	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	95
PID 5020 wrote to memory of 4392	5020	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	95
PID 5020 wrote to memory of 4392	5020	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	95
PID 4392 wrote to memory of 1532	4392	DEM5FD3.exe	99
PID 4392 wrote to memory of 1532	4392	DEM5FD3.exe	99
PID 4392 wrote to memory of 1532	4392	DEM5FD3.exe	99
PID 1532 wrote to memory of 1020	1532	DEMB650.exe	101
PID 1532 wrote to memory of 1020	1532	DEMB650.exe	101
PID 1532 wrote to memory of 1020	1532	DEMB650.exe	101
PID 1020 wrote to memory of 4960	1020	DEMC8E.exe	103
PID 1020 wrote to memory of 4960	1020	DEMC8E.exe	103
PID 1020 wrote to memory of 4960	1020	DEMC8E.exe	103
PID 4960 wrote to memory of 1588	4960	DEM62CC.exe	105
PID 4960 wrote to memory of 1588	4960	DEM62CC.exe	105
PID 4960 wrote to memory of 1588	4960	DEM62CC.exe	105
PID 1588 wrote to memory of 440	1588	DEMB929.exe	107
PID 1588 wrote to memory of 440	1588	DEMB929.exe	107
PID 1588 wrote to memory of 440	1588	DEMB929.exe	107

C:\Users\Admin\AppData\Local\Temp\1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
"C:\Users\Admin\AppData\Local\Temp\1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\DEM5FD3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5FD3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\DEMB650.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB650.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\DEMC8E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC8E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\DEM62CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM62CC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\DEMB929.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB929.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\DEMF77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF77.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5FD3.exe

Filesize
13KB

MD5
c7804119a48b0021d7c2605e7c6d07af

SHA1
2ca4548e4ec883212ff0b7f0ec02a3fd1ce6248a

SHA256
bd67d59201e748b496224899aa6f0fecc29500a74e8591b80a28f6da5eca935f

SHA512
2a138ed1d071a8415f1a59d86d3f6a1685b06d38a5987375ca5c50bcfdd063dde12b42129b99ce3f97984cc3d58c82f4067a117090b2efab95d208a69622dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM62CC.exe

Filesize
13KB

MD5
ba4cf93ade1ae4d9e5d25173740030db

SHA1
fedf1d7967b330f1acd20c4321976a85cbb85d6d

SHA256
a74c4a386e045dc932117e10e4b706121654f319e6c416b25b4558bbc7e35124

SHA512
26cf8154f5cde8c5f7b4915b16c65d125d57851da56084fda846a7a4dd2ae63aa6eeb039f8f7edeb5ca1cfe46a97b04f85626c412556930a54a73a4a65eebe84

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB650.exe

Filesize
13KB

MD5
75f4a26f123b1169658e8ef096f32a1e

SHA1
575e6c20162b68b5351c76688b5f7ff427c83f55

SHA256
3dfc376755b645d5fa7c987f8e37fcb6315a99717c1c63468b93fdfc991560e3

SHA512
d941f2bb42307d46b47e0700bed43ab326107626d5e7833e41deb82c2402e7025d3619b7987ef042b3c14aad68653e4b39bae4ccd2d7b3558f35a57fcde94ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB929.exe

Filesize
13KB

MD5
4e4372d55045eff62bb70b3164e4ba1b

SHA1
d5651b875557813cdc030c49f7b9fb5b4248e1cd

SHA256
c25e3d21ed6c983d87a42169b280aad94fa27c00f36d7466e12192d0bf68a15c

SHA512
fa066e6f498c48b85451cadb7b9d61cd5655897b0c59cf633c70d36ed760150c2fa5b015154d8e11ca8155639c587263911abd1195a8f0eb9e9e5164ab7235bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC8E.exe

Filesize
13KB

MD5
16540cb5e794af5ddbb6dd75d4c4deeb

SHA1
41f4744c2e3432e2aca31c5a5a997069d979a4c8

SHA256
de8d5ceaa07932e37eb709e2ea320be649ca2597eaa35bd848be470e86292abc

SHA512
27659ae6d49415044573e58f700fb83acd53d2948e5f801ef48dc997cad76448416b34f700560163844fc7dc05d5be0d95c388544a04fd67361a4cfab0012e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF77.exe

Filesize
13KB

MD5
1eb9033a436d811901557fe595f53f27

SHA1
91cb8d17cb30db06e1a9b5987e291697a1582217

SHA256
40e4b75cf5723b66d9566261a76f8b7ef065d6f8bccbdf64d436b8d8e545551b

SHA512
ccd91af0704532d86f89a8ce8c910919be27493af46188509627d3b65024a9111b0d0713cb2a70b97846691d10d01875ca28de545b3e8cd37b1d861521c89e74

Download Submit

Analysis

Sharing