014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff

General

Target

014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe
Size

15KB
MD5

8d3e9f3e5b79b579331eebf93b69e327
SHA1

cba027b57983cea96429cdcaeaded1adeff8989f
SHA256

014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff
SHA512

413a4198c0ed3fbda403bdc585e6a45a034c2205a6bc63cf65d5d40910819d4ffb2830d6e1c09229232c291ee0dac7939220500d116d39214fd9a9ad2df8708e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hqpX:hDXWipuE+K3/SSHgxmJpX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEMB14E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM8D5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM5F9F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEMB5ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe

Executes dropped EXE 5 IoCs

pid	Process
1736	DEMB14E.exe
3172	DEM8D5.exe
748	DEM5F9F.exe
5040	DEMB5ED.exe
3512	DEMC89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB5ED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB14E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8D5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F9F.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1736	4776	014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe	96
PID 4776 wrote to memory of 1736	4776	014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe	96
PID 4776 wrote to memory of 1736	4776	014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe	96
PID 1736 wrote to memory of 3172	1736	DEMB14E.exe	101
PID 1736 wrote to memory of 3172	1736	DEMB14E.exe	101
PID 1736 wrote to memory of 3172	1736	DEMB14E.exe	101
PID 3172 wrote to memory of 748	3172	DEM8D5.exe	103
PID 3172 wrote to memory of 748	3172	DEM8D5.exe	103
PID 3172 wrote to memory of 748	3172	DEM8D5.exe	103
PID 748 wrote to memory of 5040	748	DEM5F9F.exe	105
PID 748 wrote to memory of 5040	748	DEM5F9F.exe	105
PID 748 wrote to memory of 5040	748	DEM5F9F.exe	105
PID 5040 wrote to memory of 3512	5040	DEMB5ED.exe	107
PID 5040 wrote to memory of 3512	5040	DEMB5ED.exe	107
PID 5040 wrote to memory of 3512	5040	DEMB5ED.exe	107

C:\Users\Admin\AppData\Local\Temp\014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe
"C:\Users\Admin\AppData\Local\Temp\014773b8bf24e49ae084a86721d634a8f0f612431a07e203a2bcb1b80f1663ff.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\DEMB14E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB14E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\DEM8D5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8D5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F9F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F9F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Users\Admin\AppData\Local\Temp\DEMB5ED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB5ED.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\DEMC89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC89.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5F9F.exe

Filesize
15KB

MD5
f09f9dd36817902f653c1e6b98354984

SHA1
f08b6057deb8487160b634acd56235e1d2328f87

SHA256
bc77638278164275ed2212930602da24b866bc8640dd3b4ffda0e0023bc06df6

SHA512
f735caa05611785595cd56099433cde283e488955196c352d36ad902a876fcc048342102ae17eb05b3938159aa46b66ed45205982199d1c91817faa61a4fb5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8D5.exe

Filesize
15KB

MD5
345ec131c2f77ad6103386d080007879

SHA1
1519c70e00623deeec7ebea01bbe4762fe9eba52

SHA256
325bad15a927c72253c366dc8fd6691a466890f8693e4ec225b3459a401c5a4f

SHA512
a7c83de25adda95e8170817ccdfe0e3085451032c158d24c1460ee550b7b91a6fc32d9a01944b4cf89800bd4df4a4ac709a265dca288345f412c6a5a28482ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB14E.exe

Filesize
15KB

MD5
3408d1aae235d378379698f0486befc7

SHA1
f8005ffd63e39250fafe9e6cb1aa959ec0b686b7

SHA256
aeea531c8d4ac9fbb295ca5ee24bcee86ea057658d2e51bc6d8f17fc3c1b83dc

SHA512
321e746426fdeb50347f8d632bf5be4597ccd2001873e69bc76e99f0d05768de9278bb58097e1665d561fd95881291601f4043bc9f121b8e84897f097a43879b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB5ED.exe

Filesize
15KB

MD5
c66f1f8b5bed07548d7ccfb64aaed6ee

SHA1
e8f87938ae9b026b316e86794db395cc1a8a8b9d

SHA256
105886a9c742d6a2590be26e3c4fd67d857fe65021a95f39f65c7944b90c699e

SHA512
0a7104fa4763f234f837ef07dd382fdbd46c4973d2ad5c3d1b428a46a43c52b57909b43a3839de90a0b4d47a8c7f01c074bf82fe0eb75207f722bd6309550f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC89.exe

Filesize
15KB

MD5
b0300d4516de036dafd84a8572182a09

SHA1
fb3afedc8ac54b908459c021827096139a0f56fc

SHA256
8b7c58dfb7bb1ecbbda3838483516f560d7a11f87634d0e996dbfa5a152d2be3

SHA512
75088143d60a3261322bbf2e2f46f23574aeddd4b6b9a3836c2e1845345fbdf876f421e225eee9672ca78cc8634787efefc8650cce392eee351bd47e5f0db7f7

Download Submit

Analysis

Sharing