115a26f15e50fb2b977785b0e735593e022c7c5471d5618e6c5ab5c362d0e711

General

Target

f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Size

16KB
MD5

016ecdb9876c5124ed326acaebcf76c7
SHA1

866ceda0b453db4587f2d9e167ab6218462ca21d
SHA256

f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097
SHA512

e489c83ce455c93039be37d873c87a650847f0c635a65cf984d9b177a7898c787200d3c3f5a4621097604b234ce34fa8817fac795fd6b0f2a9d5161493e80aed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYld:hDXWipuE+K3/SSHgxmld

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEM6368.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMB9D5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMFE4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMB5B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	DEMD0B.exe

Executes dropped EXE 6 IoCs

pid	Process
1940	DEMB5B3.exe
2532	DEMD0B.exe
4404	DEM6368.exe
1548	DEMB9D5.exe
4908	DEMFE4.exe
4636	DEM6642.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB5B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB9D5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE4.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1940	2920	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	94
PID 2920 wrote to memory of 1940	2920	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	94
PID 2920 wrote to memory of 1940	2920	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	94
PID 1940 wrote to memory of 2532	1940	DEMB5B3.exe	98
PID 1940 wrote to memory of 2532	1940	DEMB5B3.exe	98
PID 1940 wrote to memory of 2532	1940	DEMB5B3.exe	98
PID 2532 wrote to memory of 4404	2532	DEMD0B.exe	100
PID 2532 wrote to memory of 4404	2532	DEMD0B.exe	100
PID 2532 wrote to memory of 4404	2532	DEMD0B.exe	100
PID 4404 wrote to memory of 1548	4404	DEM6368.exe	102
PID 4404 wrote to memory of 1548	4404	DEM6368.exe	102
PID 4404 wrote to memory of 1548	4404	DEM6368.exe	102
PID 1548 wrote to memory of 4908	1548	DEMB9D5.exe	104
PID 1548 wrote to memory of 4908	1548	DEMB9D5.exe	104
PID 1548 wrote to memory of 4908	1548	DEMB9D5.exe	104
PID 4908 wrote to memory of 4636	4908	DEMFE4.exe	106
PID 4908 wrote to memory of 4636	4908	DEMFE4.exe	106
PID 4908 wrote to memory of 4636	4908	DEMFE4.exe	106

C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
"C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\DEMB5B3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB5B3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\DEMD0B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD0B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\DEM6368.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6368.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\DEMB9D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB9D5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\DEMFE4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\DEM6642.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6642.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6368.exe

Filesize
16KB

MD5
2b0a19b7a56e12f277c773981ca63a71

SHA1
8c25f04a15bf84913448f63fb9b327efc78d9df6

SHA256
e632d24184bedc72997ba069d684c66bdf5ce8985deea6194b5b2bfbaa113b5b

SHA512
95797e58e2871383a2c85077c53c7bb9bd600be89cf2f2f6742cee2ddf87c1e6bab0cc17898536b7190070db0912fcf531659f5eda51fb0a6d1162b1ed9f21d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6642.exe

Filesize
16KB

MD5
abfbc10a123642302ff076df6c5e9515

SHA1
bd1b6002cb7cdf839e38bb0e5427d59175a72cce

SHA256
b27855270da7179bfe3d2e8a1a9f69f8e45df937bfc8d82353aceb0815a8fc66

SHA512
967c5487336a59892bcaa8b676ee1def442f07135edb3a5850922517b6f157ffe35b3fa231abfe8426b89943694d665599b3a9d96875486cc275644a2f9962f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB5B3.exe

Filesize
16KB

MD5
1881cc0e5e151a6375893c2d9913ce40

SHA1
d755444e17bb21c8c02ac40f177324710337e301

SHA256
2ec135547bc00232d80b5efcc32a1064cb6e8a37b1daa4fecfdc6fd2199dc8e7

SHA512
46c9b9a6285924a40cc27ee7519e5c8f2a465d8c898fe633463253c29081fefb29c79d306608bdcf7e895e3cb9e3fd6a31ddad5bea7b7237f10d82ba473a63dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB9D5.exe

Filesize
16KB

MD5
2c7fce6d275b8f064bb591012348e2f2

SHA1
60406d4a2452ad53e60292117521abeb6b95c1f8

SHA256
aad943ffcc1e9716d2a909891b457c6a71a5a0386ef2e04d14ce1458cbbbbe6f

SHA512
4233d82cc7e3cd9005d8eb6ec9277f26755fdefdc68d5fd0f6da5a1a75a082e7fa5e7b4be0ed3aeac96410480de8419bc751437a25b920b5b1667f791a2326b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0B.exe

Filesize
16KB

MD5
8f673894b2cb94e0d791c824d8825b7a

SHA1
89ca8d22e5ce26d00fdfe877553805bb04da8717

SHA256
ea7374d917e083dba1720d3aea831b922ffcb83bcac822f3922b3fd75f014aad

SHA512
46d268fa241cf2884881b83398824a88d16dc77b9f0843d80c2704d34b3ce61b672fe94b91056c743b6bd7afb78e70e3237262538588f967afcf4613c93cb1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE4.exe

Filesize
16KB

MD5
efbe1c9183094fc1168f3d2a8fbbd130

SHA1
6067af82ce1d9204c46559c859602ad8188af268

SHA256
b28da392be0134ea58cdd49c329f9ccae64c63786b5cd5226d0bba6df3c0ddf7

SHA512
6bdf1bf277df9816032fb1c4ac6387bf91bb63174d06e77bf740586319e39e91bb31c7f0e0f2956885ac808c4dfe6ae6dd9c3475b73204774409e9dc1ab7cfb1

Download Submit

Analysis

Sharing