c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063

General

Target

c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe
Size

15KB
MD5

9b8c4f8cb737b2a3d7a2c20ddbdf8bb0
SHA1

340ce6074f275d36f0c1531afa4e52adc6eb6a6b
SHA256

c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063
SHA512

bcec7b98ad2b6d6250ee740c04898a40e1a561b8e83764be50473713a89700f34c30b91c153403af2a413f6119135c991544d4004b23bf75fd77030438c06d39
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlMD:hDXWipuE+K3/SSHgxmlk

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM5138.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMA7C4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMFE22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMF992.exe

Executes dropped EXE 5 IoCs

pid	Process
3576	DEMF992.exe
1956	DEM5138.exe
1196	DEMA7C4.exe
3896	DEMFE22.exe
984	DEM554A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFE22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM554A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF992.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA7C4.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 3576	1224	c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe	87
PID 1224 wrote to memory of 3576	1224	c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe	87
PID 1224 wrote to memory of 3576	1224	c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe	87
PID 3576 wrote to memory of 1956	3576	DEMF992.exe	93
PID 3576 wrote to memory of 1956	3576	DEMF992.exe	93
PID 3576 wrote to memory of 1956	3576	DEMF992.exe	93
PID 1956 wrote to memory of 1196	1956	DEM5138.exe	96
PID 1956 wrote to memory of 1196	1956	DEM5138.exe	96
PID 1956 wrote to memory of 1196	1956	DEM5138.exe	96
PID 1196 wrote to memory of 3896	1196	DEMA7C4.exe	98
PID 1196 wrote to memory of 3896	1196	DEMA7C4.exe	98
PID 1196 wrote to memory of 3896	1196	DEMA7C4.exe	98
PID 3896 wrote to memory of 984	3896	DEMFE22.exe	102
PID 3896 wrote to memory of 984	3896	DEMFE22.exe	102
PID 3896 wrote to memory of 984	3896	DEMFE22.exe	102

C:\Users\Admin\AppData\Local\Temp\c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe
"C:\Users\Admin\AppData\Local\Temp\c1cec481735d998828250d71696efbd9cb028cdc5cc1302f1855fd199dcdb063N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\DEMF992.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF992.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\DEM5138.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5138.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\DEMA7C4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA7C4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\DEMFE22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFE22.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\DEM554A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM554A.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5138.exe

Filesize
15KB

MD5
74f8c496b17364b81c25b66eb4fbde9c

SHA1
c5f8e5a0ef8e5be4287df099d959692e2362cb0a

SHA256
81f666c48a969b27d673adb14af58a1f075fb32b0c0a06e3d1ff852a67bc3e7b

SHA512
3477d318d5774b9288820477aa119dee74e7ec2404c3c044049e1756946fd6c3c3c660936edf21f8bf5531c7b64bf0fe0b189fa944cff5f052232173fd8bae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM554A.exe

Filesize
15KB

MD5
f422e856a23abeb8be4fdd8d074b7382

SHA1
be76d28da1f0cc0405ce1574b4020fe2b1d69446

SHA256
dccbc5160ab721e96958c4021df699b3bf55558eaf502a24bf8036774a638439

SHA512
e64c0506dd1becfad14940a11172509b5671446cca0d6df4c3dc6ad5a5a08222d0d20498f073c3bccef285696f11110cfca058098204d3ea676d2252651c376d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA7C4.exe

Filesize
15KB

MD5
5bc238dc83db7531c3128251af18aa2e

SHA1
b527fa20c33564e6888eb1ac525bf3ececebdb09

SHA256
9a590f158fe0e32e02a72e32bd7eb00a47402838ace41767836ecd598657d8ee

SHA512
82b0e34d305fbee3be1f3f5f5a41892711718bbf7339d3319788b17813636775e35d8e77ef14b0bee57383f4280882731731dfa345ae0d61fce95fae28a2a67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF992.exe

Filesize
15KB

MD5
fab91d309f868e058bc3d801e6e613e3

SHA1
41525d565568b90ecb620c587e6d35f61eef74cf

SHA256
b1dc3b5432e366e16ca9639177a9e0d6a8b0b455b5c925534fb9f050fedc6def

SHA512
2333180b2c1c0eac1244adb9427edf1cd9d96b37096c01a700d33e74b20a0fdd2054219b55ca7b8cadc85b6fda2578cf0b606474de7ad3c1d7c487865afda122

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFE22.exe

Filesize
15KB

MD5
26156b7a09776588cef2ab6221770d3f

SHA1
296983bb98055afe78848e0b2a19b4d9f3f25c81

SHA256
71b1b505da34ad38651ce04f93430a4d61f14b7c44ee2b7d6d1ff3c8497225eb

SHA512
bd93bbc892b1c40ffa9b6b3fc7fb06dbb7d0d3b8c3105c36ad814c8a3f0b2560cac8af2c7430c4596996327e8ac405e14967cb065bb059e6d4aa2e707cfdb650

Download Submit

Analysis

Sharing