2896d3820bdba7e16391472b0ba4e6859d00617c7ea0942bb09aa9e3bb5e9aff

General

Target

4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
Size

15KB
MD5

1a66883e197b07a279cc71e3aa581702
SHA1

c0ff3eb7efc04e621749223909ca31663604adb7
SHA256

4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6
SHA512

e55e9a3248207f3f8bcdaabc48d57023c963883beea5354dba6a8bf718812c614871b12f6f0ab3c1aacc89f84fa7205da7ded0ecd278dfe3b7e7941834fa3809
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5X/EmW:hDXWipuE+K3/SSHgxm5sX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM8BC5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEME261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM3841.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEM8E31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	DEME402.exe

Executes dropped EXE 6 IoCs

pid	Process
3296	DEM8BC5.exe
3704	DEME261.exe
3364	DEM3841.exe
3288	DEM8E31.exe
3600	DEME402.exe
1380	DEM39E2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME402.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM39E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8BC5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME261.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 3296	1992	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	95
PID 1992 wrote to memory of 3296	1992	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	95
PID 1992 wrote to memory of 3296	1992	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	95
PID 3296 wrote to memory of 3704	3296	DEM8BC5.exe	99
PID 3296 wrote to memory of 3704	3296	DEM8BC5.exe	99
PID 3296 wrote to memory of 3704	3296	DEM8BC5.exe	99
PID 3704 wrote to memory of 3364	3704	DEME261.exe	101
PID 3704 wrote to memory of 3364	3704	DEME261.exe	101
PID 3704 wrote to memory of 3364	3704	DEME261.exe	101
PID 3364 wrote to memory of 3288	3364	DEM3841.exe	103
PID 3364 wrote to memory of 3288	3364	DEM3841.exe	103
PID 3364 wrote to memory of 3288	3364	DEM3841.exe	103
PID 3288 wrote to memory of 3600	3288	DEM8E31.exe	105
PID 3288 wrote to memory of 3600	3288	DEM8E31.exe	105
PID 3288 wrote to memory of 3600	3288	DEM8E31.exe	105
PID 3600 wrote to memory of 1380	3600	DEME402.exe	107
PID 3600 wrote to memory of 1380	3600	DEME402.exe	107
PID 3600 wrote to memory of 1380	3600	DEME402.exe	107

C:\Users\Admin\AppData\Local\Temp\4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
"C:\Users\Admin\AppData\Local\Temp\4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\DEM8BC5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8BC5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\DEME261.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME261.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Users\Admin\AppData\Local\Temp\DEM3841.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3841.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E31.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Temp\DEME402.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME402.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\DEM39E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM39E2.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3841.exe

Filesize
15KB

MD5
d516fcea0f366af1ceb2c7afb79e0c5c

SHA1
37bacc8cd3b816bbbc109c829b36ef0426efd119

SHA256
314f93c46ca97c36a724180c3d1b0933e2c8695fc89c8f28cb6cf952146de715

SHA512
81bae74378f3e4c44d9e9aed3134b045321189b28873d8dea6cff4417519aa2351019dca945f9270e4fdf05592faa941b1ac03f05f483619e4dfad616a9f5284

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM39E2.exe

Filesize
15KB

MD5
175e6dc6e9411aa8b99a17368ed29727

SHA1
fff356b04be8cb93c6f4784669ee23e8a058d511

SHA256
fd72544f6cae93cc06061111424ebbdb3726be12757996f5d0f2425cccd95a64

SHA512
e642bee42cdadffa02aec2b8361d5e094b8187e78c1d58170fc080bdfceee2b7ddbdf6deca9ad78363882a3167f184d7d4b4533783f90aba3e7d0126f5b0d0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8BC5.exe

Filesize
15KB

MD5
7034737f15c24a4a18ab11c20758413b

SHA1
2dd53ee2ac6bb791d0801356fc0066dfcbe73ebe

SHA256
f797816c910d8f22a710359f604ca980482b8ccaba11664a1132af1ebb6debe0

SHA512
d7192b619089927b30fe76c46c39f90150b9d9a0132cdc8716ca5650df3addd5ee5e4c570c93cdfa894b411647cab3b99176e5fbe68b0221cd3f680d810199f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E31.exe

Filesize
15KB

MD5
ab487f682db637c0bfe6cc446d4ef80d

SHA1
2e6fc46a8785213152d0445959799b4fa4e9c05f

SHA256
fd5e9a5968e1e53d1773fe110e52614de57a7d796e0408cda1c11762e65e05ad

SHA512
5a4461ea4ad18cc1d6b060ab5b18eb5ce37ab56fdb0b64cfeb75980ccfa173f4add58e7ba5740ac8a19c2140a39c01d11e1c8603f1538f71e8e1010744ed6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME261.exe

Filesize
15KB

MD5
442ed9059c90c6c38d48a1bc3171e36b

SHA1
d39a883f541235adc81854a3d3ebe3321ad815f0

SHA256
329c670d4a6e7c28a69dd52fa3805149c59491a100dae1f7a4035bc72b377b11

SHA512
d21612ae0e2c048e6ef5ce0f62a14de59e6e7ae9917e77c0c2b1e2babd2926d6aaa226408cf56b574a8a42d6b1506bdc31d09589015fbba3ab6cdfe2c68630d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME402.exe

Filesize
15KB

MD5
4ca43296eebe4ca789fce9de6cc5f8ae

SHA1
49e2c1e98a7a22e08fa5011e68f114d28348be5e

SHA256
f2e7625e0cde461997a4ce435e16a658e25304bf71cae1cbaad338cace3fc970

SHA512
aa288b4c01978d6ddeff793fce9731b0830aa4249b60433e7a43351626d9ca685adb0c37813d034c0d762216eff487ad1fcc4f23cb64135ab3c72a2af7193e25

Download Submit

Analysis

Sharing