0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592

General

Target

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
Size

16KB
MD5

87404c90544f46c429d0fcc7b7a99c08
SHA1

0461c13a4057f96152d250fa1cbce638aee45b0c
SHA256

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592
SHA512

fc5ed874d034d0da7048db658c2a5547e19d995e8cb248d67d5ea944e59e0ca5937510609370a533b7debffb098d7a353159060490e00ffe36d0e47a3a2da098
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY44EA1u:hDXWipuE+K3/SSHgxm5Z1u

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEMCD43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM245C.exe

Executes dropped EXE 3 IoCs

pid	Process
3896	DEMCD43.exe
1052	DEM245C.exe
4088	DEM7A1D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM245C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A1D.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3896	2312	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	98
PID 2312 wrote to memory of 3896	2312	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	98
PID 2312 wrote to memory of 3896	2312	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	98
PID 3896 wrote to memory of 1052	3896	DEMCD43.exe	103
PID 3896 wrote to memory of 1052	3896	DEMCD43.exe	103
PID 3896 wrote to memory of 1052	3896	DEMCD43.exe	103
PID 1052 wrote to memory of 4088	1052	DEM245C.exe	106
PID 1052 wrote to memory of 4088	1052	DEM245C.exe	106
PID 1052 wrote to memory of 4088	1052	DEM245C.exe	106

C:\Users\Admin\AppData\Local\Temp\0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
"C:\Users\Admin\AppData\Local\Temp\0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\DEMCD43.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCD43.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\DEM245C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM245C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\DEM7A1D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7A1D.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\DEMCFDE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCFDE.exe"
        5⤵
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\DEM2570.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2570.exe"
        6⤵
        
        PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM245C.exe

Filesize
16KB

MD5
703489a67c3e82890e569d651ad40eaa

SHA1
239fed5a4307a9e70da943bc53aff891fa20804a

SHA256
99ce865004257dcea9658237aafd768cc2a4a173b20a0ece885d99ea7cbc9269

SHA512
8489f931a9a34cd564ddeb2e05c3e4393b0a913e2e47a0cb0b9eabb60ff95df46f8fba394c2d4eb14c4d222fd2c2fc6226f2a3ad3937d424b05d55ca3c52cd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2570.exe

Filesize
16KB

MD5
d5189f0222265862ebf694f898e77c6c

SHA1
e24002ba3e534e6b09b74004933518c51a86fac7

SHA256
fc562d29a5ad75e59482ae9bac779cfbdee932ec1cb9ca1ed0b63c6007ef87f9

SHA512
93114d90a79932f88f9155f7169bd33d6fa5ca6ed2b67e6b8b548cde432a688fbec7eaa2598733ddc35d778ff612a32545780f05c07deb2f8058f89233083b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A1D.exe

Filesize
16KB

MD5
9ddb65c4c2134695c547890e5b15c51c

SHA1
5c852b55ff99ff8cd8ce291f1db422bb6aa78db2

SHA256
001d849da5cd833c7bd78b55f35e9d70cf36c3c4c238e28150e8730052a22947

SHA512
2d04670dd9ad2ab09f8e5a4b780b05dd6de1f4c4afe6de392eaa8390a75444caa143080c00235c86b772f9b1a0fc22ff74268a97b6efff85a026bc0d7978fdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD43.exe

Filesize
16KB

MD5
22513a071038e5c08af5e39e7361b67c

SHA1
05e42fcccc814e2e30083c83d40627015bb8c3e6

SHA256
83224cf514cdea10bf25bad47e7386dab6f522b79eac7edfb8d9a258a925d4a2

SHA512
98fc57ce893cc372e00d65dda7dcec64f6f7bcedf67c607c5a152f8aa21978d6568f6050fd1427fb0f5f6dda5622fbbbe0c770b6fe9ed6c169f5d92f2f733e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCFDE.exe

Filesize
16KB

MD5
185298f0eefa730ec7306a9e72fecf92

SHA1
332c2d8616a8c31d1055621cb836a807288b7942

SHA256
ab469e8291b27b3c9ce1e05f8354ea72c8c4128a61eab3d70cf4ca2004fb0321

SHA512
3419a99f52e1365645944784d687d949f843824b1e54cedef439f9986fce5401dcc2261df0cbd45b6b4d83cd927c08c9bbbe3392e5460e2b4e9232f3a89baf62

Download Submit

Analysis

Sharing