85f278c60a58914d77179ed82365c7ebb14fd89cda8d53a049183b8e93d7931d

General

Target

7ec4bf415fb1522e9cfa926be354b240N.exe
Size

15KB
MD5

7ec4bf415fb1522e9cfa926be354b240
SHA1

cec345a68f3e8e448d2f2b9deff0ebabd41b7ec2
SHA256

85f278c60a58914d77179ed82365c7ebb14fd89cda8d53a049183b8e93d7931d
SHA512

27568c94d51b1835603836f981a051ff62bee2bf872cbeae0cc9b97a2d3434c501887e3bd1def20958a3714f1079ab3f50455470fc643d4b33ea08800629e828
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl/:hDXWipuE+K3/SSHgxml/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM40CD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM96CC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	7ec4bf415fb1522e9cfa926be354b240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM93D4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMEA6F.exe

Executes dropped EXE 5 IoCs

pid	Process
1552	DEM93D4.exe
4940	DEMEA6F.exe
3328	DEM40CD.exe
3456	DEM96CC.exe
4288	DEMECBC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ec4bf415fb1522e9cfa926be354b240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM93D4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEA6F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM40CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM96CC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMECBC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1552	3216	7ec4bf415fb1522e9cfa926be354b240N.exe	94
PID 3216 wrote to memory of 1552	3216	7ec4bf415fb1522e9cfa926be354b240N.exe	94
PID 3216 wrote to memory of 1552	3216	7ec4bf415fb1522e9cfa926be354b240N.exe	94
PID 1552 wrote to memory of 4940	1552	DEM93D4.exe	98
PID 1552 wrote to memory of 4940	1552	DEM93D4.exe	98
PID 1552 wrote to memory of 4940	1552	DEM93D4.exe	98
PID 4940 wrote to memory of 3328	4940	DEMEA6F.exe	100
PID 4940 wrote to memory of 3328	4940	DEMEA6F.exe	100
PID 4940 wrote to memory of 3328	4940	DEMEA6F.exe	100
PID 3328 wrote to memory of 3456	3328	DEM40CD.exe	102
PID 3328 wrote to memory of 3456	3328	DEM40CD.exe	102
PID 3328 wrote to memory of 3456	3328	DEM40CD.exe	102
PID 3456 wrote to memory of 4288	3456	DEM96CC.exe	104
PID 3456 wrote to memory of 4288	3456	DEM96CC.exe	104
PID 3456 wrote to memory of 4288	3456	DEM96CC.exe	104

C:\Users\Admin\AppData\Local\Temp\7ec4bf415fb1522e9cfa926be354b240N.exe
"C:\Users\Admin\AppData\Local\Temp\7ec4bf415fb1522e9cfa926be354b240N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\DEMEA6F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEA6F.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\DEM40CD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM40CD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\DEM96CC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM96CC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\DEMECBC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMECBC.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM40CD.exe

Filesize
15KB

MD5
9dadf3d6f41a3b25872c639aa82525fb

SHA1
16537d50585134aac8dd41abb92f3fd5d7eb0f11

SHA256
7f5a001197c2aa06c02d74ea11053a96ec22493a097f60b8ab0bebbbedba33d2

SHA512
174b16b96d3b52bda64177e95be2528242918636dabcc0389fb3fb28726d2a7d44ff4f828ca428bda0ad1b89dc049e889adfa22227fbe298a38134cec94b5b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM93D4.exe

Filesize
15KB

MD5
e8d4f2247ac3c6b333bf852871d65239

SHA1
c091bf94d48472e3fd80a614aca1fa5418006347

SHA256
f3c85e710b19c1b098b55c6b8f6470ac0502f556edd2a5e5228ec9eb42eb3816

SHA512
5c8dd61c6c01989dd0787a398a4ee5e7449a6db323798fa0f529f6cb514527f939b8326273c1603124fc9dfd85db0a16521abf63e3522b1373f08ba814161ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM96CC.exe

Filesize
15KB

MD5
2f1393aa02927289b9cbd029199dc7a1

SHA1
344fdc3c5b23db3c386945f844c54b496995bf78

SHA256
3d358db25adc213e7bd164fdc7f6f7bd3ff6c814cecbc5b40a9e74d79c79ab4e

SHA512
8ac9eb829f45174d5e6636980070affe22ef7673ce0559c3c183e8f057c2e637ff45f6069f623f4f6e39766aebf1033fbf6815890f567ff8133ac2dee21af3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA6F.exe

Filesize
15KB

MD5
0bbd09998df7bd4101046b33a89beebc

SHA1
c5580f1bd00902159deeaf01f3b0a512783403dc

SHA256
c5c6c49214716b163167aa9ac3102ff78c74b0c6419c90ff20d71de4d4791658

SHA512
b0718047b6aaa0bb97096cdb77605033ec1750ea11d38972d635a9cdbf237129b31ff2948aecb2ae6326922aa8a7c764c50bab2a1de9ec725fe9175ef1f5a89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMECBC.exe

Filesize
15KB

MD5
4f0214103a59e1685e4eb835ca8e725a

SHA1
9a6e36f5f640eac925d87accc96ee1f61ed1bc34

SHA256
eb8836edcd55db6f41ba12746985c8a862d7fa9da65c974275e2299f42bd4bdc

SHA512
7e22144ba1ff05d630e518430a3b5a39d6ad8261762a900f624f05a71e7c9bc2e23a7b057016c8ff163a16e3f1ae15e5c3a62a36682621f2a76bedb2bf635916

Download Submit

Analysis

Sharing