f3f2bf280118b51394bac97e52e499289020c0848c371c3c9a99bd465871f0d5

General

Target

84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
Size

14KB
MD5

26758226b02b56428050b0913a798ba4
SHA1

97a5f45a20dfd52878fd76326d35ecf5334e36c2
SHA256

84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56
SHA512

c1837ea8cb4341868e7a061193993fce2fee6097816b4bdf64b3183d8d76eb5856860555f3eae68cacaace72f1a421e02f1cb8d3005c055eb056787f40719489
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfso+:hDXWipuE+K3/SSHgxmft+

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMCAF1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM2219.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM78B5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMCEF3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM2570.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe

Executes dropped EXE 6 IoCs

pid	Process
4572	DEMCAF1.exe
1056	DEM2219.exe
3400	DEM78B5.exe
1840	DEMCEF3.exe
896	DEM2570.exe
2260	DEM7BED.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCAF1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78B5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCEF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7BED.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 4572	4312	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	94
PID 4312 wrote to memory of 4572	4312	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	94
PID 4312 wrote to memory of 4572	4312	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	94
PID 4572 wrote to memory of 1056	4572	DEMCAF1.exe	98
PID 4572 wrote to memory of 1056	4572	DEMCAF1.exe	98
PID 4572 wrote to memory of 1056	4572	DEMCAF1.exe	98
PID 1056 wrote to memory of 3400	1056	DEM2219.exe	100
PID 1056 wrote to memory of 3400	1056	DEM2219.exe	100
PID 1056 wrote to memory of 3400	1056	DEM2219.exe	100
PID 3400 wrote to memory of 1840	3400	DEM78B5.exe	102
PID 3400 wrote to memory of 1840	3400	DEM78B5.exe	102
PID 3400 wrote to memory of 1840	3400	DEM78B5.exe	102
PID 1840 wrote to memory of 896	1840	DEMCEF3.exe	104
PID 1840 wrote to memory of 896	1840	DEMCEF3.exe	104
PID 1840 wrote to memory of 896	1840	DEMCEF3.exe	104
PID 896 wrote to memory of 2260	896	DEM2570.exe	106
PID 896 wrote to memory of 2260	896	DEM2570.exe	106
PID 896 wrote to memory of 2260	896	DEM2570.exe	106

C:\Users\Admin\AppData\Local\Temp\84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
"C:\Users\Admin\AppData\Local\Temp\84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\DEMCAF1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCAF1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\DEM2219.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2219.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\DEM78B5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM78B5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\DEMCEF3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCEF3.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Users\Admin\AppData\Local\Temp\DEM2570.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2570.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\DEM7BED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7BED.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2219.exe

Filesize
15KB

MD5
4cbe3bcbc19c2cd58b45e5bf932f6d4e

SHA1
7a19d8e0a552d610b37061e7852582118048995d

SHA256
219345aae0ce63669b6638092d8232200aaa68ac3630801ad150ea20734a6bf6

SHA512
9d5b12d7dfe7a985e61153e1d15f10fcc23f1547f6098ffc10e508380a0deabe3e5fa803f76ba28e37e49b28b61d458880dd30a8a49b23b2473504f771df281a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2570.exe

Filesize
15KB

MD5
13a6aa2f9531dd2aa31ef7f32fafdb57

SHA1
86f1d8d28f2081c903b2dc06e20efe914aa7605d

SHA256
47e709ce49e35f505d0165c7844c984dbb25c80e3bcffd793aeb1a1b0befe9b6

SHA512
f4d3c03cb46369143d448d9211a2ee5282a4670a0761afdfab831d65a014cb7dcb883e7c34ab15656cba191ad02f1cf9ea9e426d813c9d6c02c31fa4d40ded71

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM78B5.exe

Filesize
15KB

MD5
0bc405ea77cec849e49f42eb18a28d63

SHA1
ce2f9d6aeb2c0d5f796c7e65158f9f8cc97abe0d

SHA256
8617114ff9952eacdc2694694bb32144273229eaba112b919b0ea56dace729b6

SHA512
659d1dbc762a76ca78ab3c08d28d7f0d4fd49771d9aeaf881e3ded5d04bd73083751a674385858919fb624741743c533b4cfb2b951704d3b9da8f2afaf7fd64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7BED.exe

Filesize
15KB

MD5
60bfb4cc0f6d418a2f35521b85702622

SHA1
64572c21e5df05959827097ab769748986cff43c

SHA256
c0ce43b8878f1db9bda44ec2434a102db30223212feb25d05c21e55320f18156

SHA512
abeead3f2ce2c26e38638471a2a6cbada1f85abc1682379231e4afb860b9a8776a564ff027974dc4e6ea910df043b6f6b3f99f65796518a68f6f9afbc79929a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCAF1.exe

Filesize
15KB

MD5
abe708068cdd0493a5cdd7109376a908

SHA1
c9358a893cc516f96fd4191f8a2f74ae8ead357b

SHA256
70384a2fb332032e0a643dc7a62db500eac8db66f3256c8542a63ab0f6c7d5f8

SHA512
aef9396b390909f2ae2f60ef1d1777291fe518c7707f27c22efa86a8133199375538ca2fa22f3c52d0031aade128112b6c849a2d666f62cdfc1a0ed14f618285

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCEF3.exe

Filesize
15KB

MD5
364951123f6cb2004107751a9f3361fc

SHA1
d3f7e71498a87e15efdfc1ce89a16f21d8ae253f

SHA256
7d9c83c41caf26a657b0aff6e37f8f8f8cc0c6cfc6f6a7b9b7243d96a5f513be

SHA512
48e58dcb81c205e8eda3878ba826cadd7646a0819c3023d37feaea64fd6ef0ad0d4186ef440723e1574481e2e45ebcfe2889c667be52f21e1b396f9fdd750978

Download Submit

Analysis

Sharing