b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b

General

Target

b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
Size

20KB
MD5

cf7d8724ad2ffd991f888484957d0134
SHA1

3b8fd14a4d948460b7a7f061658bf7502c79d9d2
SHA256

b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b
SHA512

898daf29a95e588c5e1a7c62058ad5e079f79bd6426b273ec52de305be7f622dca33ec6d6e2f5cf24e61b1ea985b3373bead8fc224dda9a5e23ed45bf611964f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Ar5:hDXWipuE+K3/SSHgxmHZAt

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DEM74E2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DEMCC39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DEM2390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DEM7A7A.exe

Executes dropped EXE 5 IoCs

pid	Process
2668	DEM74E2.exe
2460	DEMCC39.exe
3504	DEM2390.exe
3548	DEM7A7A.exe
1772	DEMD116.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A7A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM74E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCC39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2390.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 2668	668	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	97
PID 668 wrote to memory of 2668	668	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	97
PID 668 wrote to memory of 2668	668	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	97
PID 2668 wrote to memory of 2460	2668	DEM74E2.exe	102
PID 2668 wrote to memory of 2460	2668	DEM74E2.exe	102
PID 2668 wrote to memory of 2460	2668	DEM74E2.exe	102
PID 2460 wrote to memory of 3504	2460	DEMCC39.exe	104
PID 2460 wrote to memory of 3504	2460	DEMCC39.exe	104
PID 2460 wrote to memory of 3504	2460	DEMCC39.exe	104
PID 3504 wrote to memory of 3548	3504	DEM2390.exe	106
PID 3504 wrote to memory of 3548	3504	DEM2390.exe	106
PID 3504 wrote to memory of 3548	3504	DEM2390.exe	106
PID 3548 wrote to memory of 1772	3548	DEM7A7A.exe	108
PID 3548 wrote to memory of 1772	3548	DEM7A7A.exe	108
PID 3548 wrote to memory of 1772	3548	DEM7A7A.exe	108

C:\Users\Admin\AppData\Local\Temp\b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
"C:\Users\Admin\AppData\Local\Temp\b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEMCC39.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCC39.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\DEM2390.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2390.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\DEM7A7A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A7A.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\DEMD116.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD116.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2390.exe

Filesize
20KB

MD5
75eb4d38b206562eb2c6101d61fc0e94

SHA1
bd288773ce51337a199b97c30a9bab47c1ce05d7

SHA256
080551097b1b6f6ceadc17104b0743a4f0cf73dc93ed84b9cf69ca22a688e9d0

SHA512
39417cb66e799b0257c6d594ec79687bd5defacec97c2824df373993e94026d26051889ede56dec0e96a6d3b0b1352726e49c8bde06073f30e9df66a4d426530

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe

Filesize
20KB

MD5
762bfc2291a9fd9af4cd115f48885e65

SHA1
bf8c91dbf4f77dfe71eea0e3b98866651d8482e9

SHA256
720ba777d29dab1ef60402d308e2d7dd37c52d8d041181a379d42d7d64e131f3

SHA512
e0599cccc0ca0716e6f349f2dec2d610a4dc1dc47c872007ceb7e610c2a378e8f1eef9a8d52f7b46c1cec86da82de318eb08d58385d59c1379dbc69ee7134b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A7A.exe

Filesize
20KB

MD5
5be01d73b28fd235874eccc75d3321b9

SHA1
02ff28366d0414ec48508e9145394cf57811ac79

SHA256
bb8e5f3fbca38f4c24a1f9f91b578167391e15621ed14b406e9f52cdda9e22fd

SHA512
435d6b6fb7794b7effb412d131f5c2299fd093251abb4f59a7b8889da4363f86bcf644854a8d4587d1f855f56c311e349688636110ecb5f69521bc804cddd887

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCC39.exe

Filesize
20KB

MD5
9287e2e6c5d13029f9468352575bff7c

SHA1
1d3b5dd3156940911b9deb5f090cd0dcc1a1a224

SHA256
c800fac3b242649bf28ce70ea6099ce5c16a8a8714812c2cf713d445aa2b3c53

SHA512
ee0f65c4bd32f7ea7c98022566dc586d3a42366bf1c5b6b062f34cd89a36688a22f5c1b3d8463c633b949b27b73d741bec1f763a85f5e532fc013ca6a6e5d9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD116.exe

Filesize
20KB

MD5
46535293a695d5a2e3b08596042d32a0

SHA1
59bd0211ff712dcf2bf0451ab3f5bf761766c4af

SHA256
c0ab69bce2aaaffa350a56ecb8753fc3857c1a73255a74145a8da1dc7e6839ca

SHA512
242f479d6129d18c9223e60c82febf7973b3d0fa16081248dfb469509e1678cea9ad1554efebead96ff76dd3d71ced8cc0118be4bd38fd82973d965004820099

Download Submit

Analysis

Sharing