1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f

General

Target

1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
Size

16KB
MD5

7dbdf5f1a616ed9a759ab57b792088a4
SHA1

b15e54447a756f2c5ef3f938a193c9e278f1fe58
SHA256

1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f
SHA512

1b2300a569ea8fc6513aaca28847e3f76b282d9f7516247603b36a9bafb5bad05fe04617131036e8a337609279d0a41d0fdf34db94258b6a9f51e34cc9e09ec4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pkzT3T:hDXWipuE+K3/SSHgx4Gz/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM6ED2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMC59D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMC052.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM17D8.exe

Executes dropped EXE 5 IoCs

pid	Process
4228	DEMC052.exe
5028	DEM17D8.exe
2488	DEM6ED2.exe
1120	DEMC59D.exe
4456	DEM1C77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6ED2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC59D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1C77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC052.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM17D8.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4228	1224	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	97
PID 1224 wrote to memory of 4228	1224	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	97
PID 1224 wrote to memory of 4228	1224	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	97
PID 4228 wrote to memory of 5028	4228	DEMC052.exe	102
PID 4228 wrote to memory of 5028	4228	DEMC052.exe	102
PID 4228 wrote to memory of 5028	4228	DEMC052.exe	102
PID 5028 wrote to memory of 2488	5028	DEM17D8.exe	104
PID 5028 wrote to memory of 2488	5028	DEM17D8.exe	104
PID 5028 wrote to memory of 2488	5028	DEM17D8.exe	104
PID 2488 wrote to memory of 1120	2488	DEM6ED2.exe	106
PID 2488 wrote to memory of 1120	2488	DEM6ED2.exe	106
PID 2488 wrote to memory of 1120	2488	DEM6ED2.exe	106
PID 1120 wrote to memory of 4456	1120	DEMC59D.exe	108
PID 1120 wrote to memory of 4456	1120	DEMC59D.exe	108
PID 1120 wrote to memory of 4456	1120	DEMC59D.exe	108

C:\Users\Admin\AppData\Local\Temp\1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
"C:\Users\Admin\AppData\Local\Temp\1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\DEMC052.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC052.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\DEM17D8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM17D8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\DEM6ED2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6ED2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\DEMC59D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC59D.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\DEM1C77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1C77.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM17D8.exe

Filesize
16KB

MD5
574ddb671807fda0bc8407bebba6ea88

SHA1
07eed3dbfde6217a5cab0f23788b6d15fc4e5441

SHA256
522a7dd11ee63e386a6e4b0750157f3978270292601e90d1b6b285043d7a88c6

SHA512
45ea642516b033237859893c578650c5fa362d21b2fb580477fedb81b9b533bb061d55040697c5db17cca38e5437252f1489dbe40d7dcf3cb752e6de33bb37e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1C77.exe

Filesize
16KB

MD5
526a52d87b7e822d780cfcb96d9da1b7

SHA1
2764f381b40cf1fe2a187a0b8a20532c8c2a91e5

SHA256
bc5cff8aee525756ff43d65ba1d6ea52ff73c85ba6aea4ee24896fa280791bee

SHA512
9f759c22d8966e90c148c05a3bb003d6e052ee560444fcb4be8615ac58f861364eccc0084fe2efdc909efe7b7b7be08c211b33963185d546066200dfd49db9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6ED2.exe

Filesize
16KB

MD5
723243739feff1bfea23c4df79615037

SHA1
9fee0a9bcb5386d5cd02b85bae9b2301fd041eef

SHA256
d750ae616ba04ba93a6a9b6c31bcff37672702bb3ae7a1edaf5fd094d0e0a64d

SHA512
3b496ec2dcc81cc08c3507d595cc3a7a1afeea93a57a1e010c011aa0856b51e7b41dd88bccecbbaa0eabb54c5ad56ac0009deee963ebcc717efbf8c11340204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC052.exe

Filesize
16KB

MD5
ef3f9030b16bb6134f459e356b2074e2

SHA1
4f5c20f5b28603755797e24493a240b3b003ddf5

SHA256
c20940638540632ff6a1d5abf9aa0dd0dcf0e0030b22bbd26a832a2ed5c1eb51

SHA512
bd34a1db3180679340664258659a0b5b071c92ad5e96baa42fb8960f3b5240402cadfcf2336650d604dfedca85d44e3fd0244b588aa37190fe70cbd7fee2798a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC59D.exe

Filesize
16KB

MD5
e54d88029133f444ba1cd55d088db3de

SHA1
6653e3a8eb282478e9ba9bda9ba8b554dd14cefb

SHA256
7ceed50ca2e9df3b99f6d4f8ec3ec3f2f181a7820cfa1546a88bad28ac6f0ce6

SHA512
92ada999d7ae9705eb3571337795304171f93f41eb279e8fd0349bd08dbf3757b9b4b926367da8b7162eacb8b93fdf614b723dca4b82ce8babc9c155de2012a1

Download Submit

Analysis

Sharing