003291b532c939c57beb986b7c9eb8dad307832000680ac66136c2c88015e3e2

General

Target

1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Size

16KB
MD5

cc469f137221fe0f88526c416d767d46
SHA1

adaf54c0a7d8eec727b7668d01089ff87c9cb744
SHA256

1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6
SHA512

40d355a5e683fb0f534259dcc6e8f8016594aba6b03ff6b29ce75cb8ad5b9a93330637c345e01f821e5336c0e9978d553eb2a87d9fabd787443a5928735aa1f6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlF:hDXWipuE+K3/SSHgxmlF

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM639C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMBA47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM1085.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEM66B4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DEMBC94.exe

Executes dropped EXE 6 IoCs

pid	Process
1680	DEM639C.exe
3980	DEMBA47.exe
2956	DEM1085.exe
2644	DEM66B4.exe
2964	DEMBC94.exe
3228	DEM1284.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBC94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM639C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBA47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1085.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM66B4.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1680	4640	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	97
PID 4640 wrote to memory of 1680	4640	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	97
PID 4640 wrote to memory of 1680	4640	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	97
PID 1680 wrote to memory of 3980	1680	DEM639C.exe	101
PID 1680 wrote to memory of 3980	1680	DEM639C.exe	101
PID 1680 wrote to memory of 3980	1680	DEM639C.exe	101
PID 3980 wrote to memory of 2956	3980	DEMBA47.exe	103
PID 3980 wrote to memory of 2956	3980	DEMBA47.exe	103
PID 3980 wrote to memory of 2956	3980	DEMBA47.exe	103
PID 2956 wrote to memory of 2644	2956	DEM1085.exe	105
PID 2956 wrote to memory of 2644	2956	DEM1085.exe	105
PID 2956 wrote to memory of 2644	2956	DEM1085.exe	105
PID 2644 wrote to memory of 2964	2644	DEM66B4.exe	107
PID 2644 wrote to memory of 2964	2644	DEM66B4.exe	107
PID 2644 wrote to memory of 2964	2644	DEM66B4.exe	107
PID 2964 wrote to memory of 3228	2964	DEMBC94.exe	109
PID 2964 wrote to memory of 3228	2964	DEMBC94.exe	109
PID 2964 wrote to memory of 3228	2964	DEMBC94.exe	109

C:\Users\Admin\AppData\Local\Temp\1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
"C:\Users\Admin\AppData\Local\Temp\1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\DEM639C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM639C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\DEM1085.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1085.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\DEM66B4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM66B4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\DEMBC94.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC94.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\DEM1284.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1284.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1085.exe

Filesize
16KB

MD5
6a52166c75abaed03cf3eb1e5e87ed1d

SHA1
e65623685fad3d14f19708caf14d856330fbdeec

SHA256
0f6b94409d10eb350a05a7daef2c3f78f90a44cbdf581fc222502189336ccc8c

SHA512
de3d72bb93fa16e4e9eca7422619b8736456ab5821f3892c5bc4ea6e3c93eb1168e4dcb66970e9af5d06cc77291f42a4dfa9c94087615dd015e90ff209ea7367

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1284.exe

Filesize
16KB

MD5
ba8b4a40419eaa7e12bb08cefffe5298

SHA1
f90a49c63075cd444587fd1d2d59b322e4e92d86

SHA256
ddb03306ce80b033c0b900768a0ed21ddb48513e350a85bceb5f1ce6b45edea2

SHA512
9d6a2893f2c0025d7a55f1ec6685162677aec362e2de33dcb48f3050b8264a3624f060d0871b3686502ede215e86378f84c36db97f7b8330597684e0666f7d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM639C.exe

Filesize
16KB

MD5
cc0f3d0fc27cb5cc66752460fb9070f5

SHA1
f605c54777c908e8537c7eddeac359ea9895722e

SHA256
98c3c9bc57b09d49fd0c60d9afa050f4ec7d850e827705c5df5d5c9c8cfde918

SHA512
900b5d7517ff98ae0b09310ee83928ab23e2e0bf79e5145ce9ac43053aa9845ce3bb5bd2332fd5cedf9e6d0e939fde23f8f4f06905dfdeb7a2c5addc9c1d154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66B4.exe

Filesize
16KB

MD5
6b1dfe6580ed68234db7b84cdba241ea

SHA1
8c2a0917b6d74f70b56afca88f954183438485c6

SHA256
d47c11990d43cbe5c320560c49615e76c833fdff0664408e2d627611bc103bc1

SHA512
208670ba7208b8818b830eecbfecdff59ab81679dec875b0e2e4aa00636058d7722cf27465533fe176fb74d3f2dcae36e34912d59a6ea6eeccf098b44f439850

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe

Filesize
16KB

MD5
9323b91d5a749c0e13e2898229cd35ac

SHA1
1b39346b690de5cdc1d3050cbab3491b319a18b1

SHA256
15c5638fabdbddbb9e153b915b9de41719565937be9632a0cc5e7eff1eececb1

SHA512
36b4816d60d0c2e5e24b818881d16dd2f574eaac75bed8be1467126b95f0fe852654b47885ac088c08d61557d0080cbf922a59adc2203cd41486fad0a4a6d4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC94.exe

Filesize
16KB

MD5
de3f81cc3fc7509e8805976ab4121ea0

SHA1
872bf068935120b872a1b83f55003b73c5857a45

SHA256
f882bc70d23d36f0366ae0699eb15c182235639c335cf7db303a8b21c9aa6b1d

SHA512
45fffa61bca1783cb557ffcecc2bcab07b4efb36b49ff7a2bb156bb6836b8bad39aad3a4724e867bedb848458c9ee01717b616d4ba0d1c56197a71179c7dac37

Download Submit

Analysis

Sharing