9042ea5650fa90f9e763146070e00fbbee66b1b188588e2b90bd4cfdcaa12fea

General

Target

30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
Size

15KB
MD5

07682186ff5262862afd6db66e24c618
SHA1

ca2b56db50e2ea8fbb8dcfde5fa42d4937fbf842
SHA256

30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743
SHA512

d52cb3ee0e2f33bf518cebc079c2e1ad4b105d47d7d9252d3bd425ba1c09e231c5359f37a3498c9b2ee51544c66552f7cc7f7a7bd2e11115b776cbed9ef0f1d5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/H:hDXWipuE+K3/SSHgx//H

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM1207.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMB844.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMF2E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEM659B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	DEMBBC9.exe

Executes dropped EXE 6 IoCs

pid	Process
396	DEMB844.exe
1012	DEMF2E.exe
1192	DEM659B.exe
1596	DEMBBC9.exe
2808	DEM1207.exe
4456	DEM68A3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBBC9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM68A3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB844.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF2E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM659B.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 396	4048	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	95
PID 4048 wrote to memory of 396	4048	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	95
PID 4048 wrote to memory of 396	4048	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	95
PID 396 wrote to memory of 1012	396	DEMB844.exe	99
PID 396 wrote to memory of 1012	396	DEMB844.exe	99
PID 396 wrote to memory of 1012	396	DEMB844.exe	99
PID 1012 wrote to memory of 1192	1012	DEMF2E.exe	101
PID 1012 wrote to memory of 1192	1012	DEMF2E.exe	101
PID 1012 wrote to memory of 1192	1012	DEMF2E.exe	101
PID 1192 wrote to memory of 1596	1192	DEM659B.exe	103
PID 1192 wrote to memory of 1596	1192	DEM659B.exe	103
PID 1192 wrote to memory of 1596	1192	DEM659B.exe	103
PID 1596 wrote to memory of 2808	1596	DEMBBC9.exe	105
PID 1596 wrote to memory of 2808	1596	DEMBBC9.exe	105
PID 1596 wrote to memory of 2808	1596	DEMBBC9.exe	105
PID 2808 wrote to memory of 4456	2808	DEM1207.exe	107
PID 2808 wrote to memory of 4456	2808	DEM1207.exe	107
PID 2808 wrote to memory of 4456	2808	DEM1207.exe	107

C:\Users\Admin\AppData\Local\Temp\30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
"C:\Users\Admin\AppData\Local\Temp\30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\DEMB844.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB844.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\DEMF2E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF2E.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\DEM659B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM659B.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\DEMBBC9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBBC9.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\DEM1207.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1207.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\DEM68A3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM68A3.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1207.exe

Filesize
15KB

MD5
6f4dbe2dfef9bbe6cdaa5b01a1c12e05

SHA1
79b36f7bb41a05d9b6f233dfe61b1b20a32d0ac4

SHA256
4aa25b0d04e41954ca92434460065356315f3adb92e5d035837fec161d9e1c38

SHA512
1e2a3af48a0ee669ceb9c16503b70a95869913588efd716f567c0cb9f4eec9d127f5c863e7f47de7a171ebb74d671185d82b72af754349af0577e033fabd7e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM659B.exe

Filesize
15KB

MD5
9814b12c2ac5a4f2708b7a1eb704785c

SHA1
074212b4e33e01db7d9070f4d692444e672948db

SHA256
3dcaf4f9347a916a3b736e862210e5744c6bf6ad4e66004b255a8c74585770d1

SHA512
3677f82842148f3a467913a66aff869309bd58f803e4984bfcfec830c6bf8bbb26ceedf154b0c7bb2ce04efcf4a4a4450e2752ad9fd510667e57e1783468011e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM68A3.exe

Filesize
15KB

MD5
194c04fb2e4e8286cee254bd0ff9e4a1

SHA1
ab8c1574ca2345a7efc8450d97211d8e967f7669

SHA256
ab92e634f10859874871ceb1cb9a9748d17e671b91f15a1282278f813e7a12f3

SHA512
3400f69b0be1a4c761506a003778cfacc2099fc6e91707c29adaf1cf019a368fdd1d61938d582e3b1a7ae97211ab9f6fd6394db08074b79399fa92ccf8cb1f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB844.exe

Filesize
15KB

MD5
f5fdc5bffe65e7d6253a058353013bcb

SHA1
a4316e54d90dc2ad9f3a523c26c7ae52688474c7

SHA256
8d3d3e75843c9610aebbacdd3ae897ff7bb5e437fb8ebf43100a8aec05476367

SHA512
0a915a5172a1c1f0c70bc50f0fc946ce6efb99c5d1e562edf09588f53674536f85844f716bf5690b9441e28fe11b5ddbc8a26d17c105ac332384a1d43bed42d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBC9.exe

Filesize
15KB

MD5
01172e7f02ad7d3b53e6aa5a00ae4035

SHA1
09c45dd8c32002f885894796aa0de6e8ee3a08ef

SHA256
037c3eec0244b2fc3c0a0d2969ae9eaec90f0242b4edd1e47dc6b335f809f820

SHA512
428c69576cf5fc4e271bfaa19f496b4cce04861de6a86abafaef82282162e9eeb84372250ac5918d07b8ba2d94a5ee5894e227a4a113993c92ade79272ea9770

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF2E.exe

Filesize
15KB

MD5
7a2f83cb1dcc22f2ace547144b7cac19

SHA1
cdb53e7dc1c98bfa8fbcadc5e27655d08c653c72

SHA256
3ffeb5d8dbb98e989c5300dab91c572b1a17ab37a49d8025df1690fc06d57226

SHA512
c290c18d044b56a976c43d0ccd9f4ae6f414006c5a9a5d49d5996ae4d3fa73c87491c569ccf631a5603a401f80688280d0bcf1a99c544c626d81b328c5f22df1

Download Submit

Analysis

Sharing