b2696ef9b38ab713dbd41fad108827df5bbc7b1d25b7e4cf4d6273c8fc73bd49

General

Target

20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
Size

14KB
MD5

17855629d7298cba9723eecb307fd72a
SHA1

a863acd15ba0bed0d0182d058faa408f74fa4dfa
SHA256

20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22
SHA512

ab773410c9ba81d7c3fe7ad6603b8609155a2d7dee7a0c5c292e4c895287da157b0176a5b41c9e12cea0add2572d7e74537e01bdfeb97df3aa5e83c3cd024cd0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq44+:hDXWipuE+K3/SSHgxmq44+

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM34E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM8B63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEME1C0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEM87CD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	DEMDE89.exe

Executes dropped EXE 6 IoCs

pid	Process
2552	DEM87CD.exe
4576	DEMDE89.exe
1580	DEM34E6.exe
4364	DEM8B63.exe
3508	DEME1C0.exe
3728	DEM382D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34E6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME1C0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM382D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM87CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE89.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2552	2420	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	95
PID 2420 wrote to memory of 2552	2420	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	95
PID 2420 wrote to memory of 2552	2420	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	95
PID 2552 wrote to memory of 4576	2552	DEM87CD.exe	99
PID 2552 wrote to memory of 4576	2552	DEM87CD.exe	99
PID 2552 wrote to memory of 4576	2552	DEM87CD.exe	99
PID 4576 wrote to memory of 1580	4576	DEMDE89.exe	101
PID 4576 wrote to memory of 1580	4576	DEMDE89.exe	101
PID 4576 wrote to memory of 1580	4576	DEMDE89.exe	101
PID 1580 wrote to memory of 4364	1580	DEM34E6.exe	103
PID 1580 wrote to memory of 4364	1580	DEM34E6.exe	103
PID 1580 wrote to memory of 4364	1580	DEM34E6.exe	103
PID 4364 wrote to memory of 3508	4364	DEM8B63.exe	105
PID 4364 wrote to memory of 3508	4364	DEM8B63.exe	105
PID 4364 wrote to memory of 3508	4364	DEM8B63.exe	105
PID 3508 wrote to memory of 3728	3508	DEME1C0.exe	107
PID 3508 wrote to memory of 3728	3508	DEME1C0.exe	107
PID 3508 wrote to memory of 3728	3508	DEME1C0.exe	107

C:\Users\Admin\AppData\Local\Temp\20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
"C:\Users\Admin\AppData\Local\Temp\20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\DEM87CD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM87CD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\DEMDE89.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDE89.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\DEM34E6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM34E6.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\DEM8B63.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B63.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\DEME1C0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME1C0.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\DEM382D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM382D.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34E6.exe

Filesize
14KB

MD5
67b2406306d7a42c82040d924646e9d1

SHA1
86e22f9f183356e61412c3a2803d25a4ab481a44

SHA256
04db1c394772d16f681bcc9412c2495c5b6ed31d18e1dbc997ed85c19dd7d827

SHA512
760493ef06da09442b434fb7277f58d615e4e133a41f9886f59ebed5a298351ce4626661e5c1cbf1554d451e5fbe89d56cacde7951d996782771d88ccbb0046b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM382D.exe

Filesize
14KB

MD5
0847d69f832d5ebfe6da5eb29908b9d5

SHA1
c25418a02a3405db77bf76fc6262d2ae7a338679

SHA256
a97106f378d449cb16b654895fcb43c890e2e22f8ff3c53474f2c0ada1f2ff36

SHA512
0b3cdab31944500916f25c8ca5da0ebc5e5e668ee3937df61d36324d51dc9f93ea5b00cb51fe415f8810a3d154f302304c546eeacaeb569db28c495cac4900a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM87CD.exe

Filesize
14KB

MD5
18f40a6a49766367005f40c7a9c50f63

SHA1
046ef5b65d330db0c8f2cdb0ae06f4a6821d83c2

SHA256
43763a53db71fc32337386aef27b7e9887e31e0ce1e7eb0e304d9e957a27e057

SHA512
37ec55b3b7dfa07fcdb0241e73123b8c2e7372a345624a53ab595d23d6515f3b9190ae8a700f3a26c8ed8cb7310cdd00953c70c437288e61dd231d81a7629a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B63.exe

Filesize
14KB

MD5
e04a4ec8641440f84caa05f791c849ca

SHA1
bf5d20fab3259ecef916c22340eb42bbcfcd51eb

SHA256
c9b99fe3119ddefddae777699fe2fda811dfca92f30825f9f4285aaf144dd46b

SHA512
ffc58b5054c3cf13d57b2a2c47fc610889ad3d6f1cb9792b8d6fb20e7a4aed2a13419c587e7b6efc778f95033e813da2b19c777bbaf80cc895033d6081518a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE89.exe

Filesize
14KB

MD5
fd9624f7164bd91116d4beb6d98aeaa5

SHA1
7420aee8716d633abececa705f8ff5a66c67a388

SHA256
4502d4d58595088b7132f3514142f3e38d3666215eb6b1af855a3021eac03b08

SHA512
e56baf621150cca3bf8795873c1ab0f3cd82bfd98d41e2a00dcf3b73bbb69c5822f421d5213a9b9cb5ef73dcd0d8a75390342865fe79178dcaa13d304ae3559d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME1C0.exe

Filesize
14KB

MD5
d0d3073036f0da269339b812bb5394a2

SHA1
429481e2ea1328d9a5f626366db3f2c483ae5c2f

SHA256
2b6fdf2db10bb0e50502b7bfd363aa820623a736fd86e11e5a016cdcf7823f21

SHA512
cca32f32b0b16a209569f4ad3716a2d5872dd531580b88ebc9b19b87125a8b4e08a54df86cbffff3c154100e18abff72a06b3088f63a9c455dddb48a49995974

Download Submit

Analysis

Sharing