a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf

General

Target

a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
Size

16KB
MD5

bfad3a963f1cd2c59fd197060afd7aff
SHA1

8f11a81c6fc1d9287bd834ee1c29665f168ff7c9
SHA256

a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf
SHA512

9c2a67bc1b16a859b3b8164dcaa3fdc436023bcab4f162bb095411887502a00ec4072bda2953437e491219402f74de48fadf1ab33a3d9386d25610ad3fa244e1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0Tze:hDXWipuE+K3/SSHgx4+

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEME157.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM3812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM8ECE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM8A1F.exe

Executes dropped EXE 5 IoCs

pid	Process
3868	DEM8A1F.exe
2808	DEME157.exe
1556	DEM3812.exe
4008	DEM8ECE.exe
404	DEME54A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8ECE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME54A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A1F.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3868	4204	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	96
PID 4204 wrote to memory of 3868	4204	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	96
PID 4204 wrote to memory of 3868	4204	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	96
PID 3868 wrote to memory of 2808	3868	DEM8A1F.exe	101
PID 3868 wrote to memory of 2808	3868	DEM8A1F.exe	101
PID 3868 wrote to memory of 2808	3868	DEM8A1F.exe	101
PID 2808 wrote to memory of 1556	2808	DEME157.exe	103
PID 2808 wrote to memory of 1556	2808	DEME157.exe	103
PID 2808 wrote to memory of 1556	2808	DEME157.exe	103
PID 1556 wrote to memory of 4008	1556	DEM3812.exe	105
PID 1556 wrote to memory of 4008	1556	DEM3812.exe	105
PID 1556 wrote to memory of 4008	1556	DEM3812.exe	105
PID 4008 wrote to memory of 404	4008	DEM8ECE.exe	107
PID 4008 wrote to memory of 404	4008	DEM8ECE.exe	107
PID 4008 wrote to memory of 404	4008	DEM8ECE.exe	107

C:\Users\Admin\AppData\Local\Temp\a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
"C:\Users\Admin\AppData\Local\Temp\a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\DEM8A1F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8A1F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\DEME157.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME157.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\DEM3812.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3812.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\DEM8ECE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8ECE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\DEME54A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME54A.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3812.exe

Filesize
16KB

MD5
b017a5266a8955bbafc9a37c4a213051

SHA1
e5ac0caede43e226a653aff09d69189f87656bc9

SHA256
5613dbb070ebc8cc2425d53fb4b2c06ae9680d76a2d11e8ec2875b08bd6108bc

SHA512
dab3be83571ca6fa4c7210dc879c3eda173904c21b3f54e34c19c8583c115cd17ce95bb7deebab1b29ef8cef78ca2ee05fe7000df61f916c97c032c7faebc43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A1F.exe

Filesize
16KB

MD5
61cf49cb3baa1cb7e3062edf0155a7ee

SHA1
8e47401fcf61e05e2519f67eabe7d4148d5e9101

SHA256
3035df0979f6c159c2a8859c2931ecca13086f15694620a8143fb14aa9fe01e3

SHA512
99fe98f12655693eb7faa131622981c242513ef26891a307cd0a9a5cbf1231769a1f316f939a5c9a9d207b4d6406b016504dca3be66a604b5207d616ce142969

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8ECE.exe

Filesize
16KB

MD5
fa88609a265334f92851ba747f6d1041

SHA1
166996450c91d74b9cc06342ff2545c050d793d2

SHA256
e7e3d16e15e2b301cc03804d8e0f8a851b1bb68ee0fa4fd5b956a64f4f96c44c

SHA512
9ee8a0f013b0246b46f589a5b3e40d8c92e2c736748ad36fdf856c2372aee2d4777a5ad98413e3bfef4420c65d3d30de737b5024a5cc241a5ce8cd9b090c5ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME157.exe

Filesize
16KB

MD5
7b7f616d7a7d74cf0cf3f63565f5f0b1

SHA1
6a20ee8ab529f90ef5c8a0e941eeaaac7110c978

SHA256
6879af6cdb74fd7ae8bd0dc3e8ccff04c7048dd5ec965898ae56c1b7fe67f246

SHA512
4d6c34a96b8be1cfb1d8d6754b3a1eade83397edf7bf1038a6381d3ce9fda404f9b8f8a10887b4cb623a4bbdbf842813b815bf674c5875fbccb0590d1324a86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME54A.exe

Filesize
16KB

MD5
dde50cd4525f8c82111f2a1c61df5511

SHA1
b762b31a093111fd4328e18188250c7a0f5821a6

SHA256
40edec3adbadce4f00a1174652802948cec0aabd1d88cf851141ac11cd243da3

SHA512
a941c94676cce357fb6f84a7938430aef6f1062e4c820d1afb80db1a9f34a2cbcb2a9c4c66415d112169b61d29c723f52f8d4ce03ef290d9e68b8088869021c1

Download Submit

Analysis

Sharing