ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b

General

Target

ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
Size

16KB
MD5

0b02eb503865a337e8b31798a3f824d3
SHA1

f94099f2c5506b9c216158a3f1b84ee429123729
SHA256

ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b
SHA512

76a2c2c521b4d0da5282cd38d920abb91319e2d7e963b2f33d58bb25ae3d45ce1c0f485f87e0d3bd350c887bc5983504b3153db6ee1015721d57d1bfcafbe9d8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPSU0yI:hDXWipuE+K3/SSHgxmlOJHI

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM76B6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMCDDF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM242D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM7A4C.exe

Executes dropped EXE 5 IoCs

pid	Process
716	DEM76B6.exe
1404	DEMCDDF.exe
3744	DEM242D.exe
2152	DEM7A4C.exe
2616	DEMD0A9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM76B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCDDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM242D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A4C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD0A9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 716	3908	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	97
PID 3908 wrote to memory of 716	3908	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	97
PID 3908 wrote to memory of 716	3908	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	97
PID 716 wrote to memory of 1404	716	DEM76B6.exe	102
PID 716 wrote to memory of 1404	716	DEM76B6.exe	102
PID 716 wrote to memory of 1404	716	DEM76B6.exe	102
PID 1404 wrote to memory of 3744	1404	DEMCDDF.exe	105
PID 1404 wrote to memory of 3744	1404	DEMCDDF.exe	105
PID 1404 wrote to memory of 3744	1404	DEMCDDF.exe	105
PID 3744 wrote to memory of 2152	3744	DEM242D.exe	107
PID 3744 wrote to memory of 2152	3744	DEM242D.exe	107
PID 3744 wrote to memory of 2152	3744	DEM242D.exe	107
PID 2152 wrote to memory of 2616	2152	DEM7A4C.exe	109
PID 2152 wrote to memory of 2616	2152	DEM7A4C.exe	109
PID 2152 wrote to memory of 2616	2152	DEM7A4C.exe	109

C:\Users\Admin\AppData\Local\Temp\ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
"C:\Users\Admin\AppData\Local\Temp\ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\DEM76B6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM76B6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\DEMCDDF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCDDF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\DEM242D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM242D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\DEM7A4C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7A4C.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\DEMD0A9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD0A9.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM242D.exe

Filesize
16KB

MD5
6fd596e1cb981dfb83efba910df71615

SHA1
0ba43aaf1423be134486b5bbfa35ca824ecd7d99

SHA256
0f18e53e99ca6ae543a8e3cc43df1eaa1ef5b9b8af3f5cd424ed67a35bd18ba1

SHA512
e23ed25a19a73efb09cec4085a7c543720ec5354311d4b885dd85f0ac335af75becc03d719089d2ff37972ac951bad8b65b90e3aa953af1ff6fcf6743a90ee40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM76B6.exe

Filesize
16KB

MD5
44be3e19915d538ef8cf8371f0fbb444

SHA1
a55a1402ba05f4286c2079c163db5daa88dd81e5

SHA256
81da9b5268a6f27c46a07ad0efd9c2c7d64952903d155209868f4f7a1ce10d48

SHA512
b80ad62b0bfe4e5943ed27d16109ac6ce9c9c2d3cad896af4df8159e1a769335ea669250cc7f15f2dea4939440494cbc96921f9ac53257befd66eecda1c16b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A4C.exe

Filesize
16KB

MD5
2acd7cada726ba4d27d6e55410e0566c

SHA1
ca19e51a69a7a679deca8aa317ae6cf4759545b6

SHA256
e01bba2a1998a62255c9256b3582f00933bd19a5cdf2950a7d77514acc9450b3

SHA512
3d84acd05c3d867125168cd38f3ee02ab7fa108e56902d3ee089c5706b3117057e9a9393ac55caeae857322ea8e9e7379cbb397d45759bc8d5d9a7352a0373b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDDF.exe

Filesize
16KB

MD5
4cd0f2e220c77e2fa093dbe25263e707

SHA1
a9b390fc2c2dcc56e53219322ec80da64f4dad5d

SHA256
f05684aa884d8c6b17fa52563bc118015e34b2ee1eb7caa6c4243eae66a02f3f

SHA512
ddafdf6f25566ce89c9a66b2dd5133341b7257afc3d6d609f2805e718ceb8ac05419686e4fc435ebc72d53291fe9ac3da2f858328a4fac2356f4a0aaba4fb31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD0A9.exe

Filesize
16KB

MD5
7cedd40ca90553f1f11dda31ab8ff245

SHA1
5b9186748ceedd0f2fb8f552491049320f9110aa

SHA256
523f25bd16c71ae03a76490d5ae956fd0573fc3d8c9e85ef042b98fef2d71506

SHA512
75e44c23d804eb42174e1f28aca2a3a0c40692959555e3b21dc6667050fa63fa3461d9c7eace2eb0f31dfed9fbc436c7ea199e3ca2b59f0238b4fc22eb90fe72

Download Submit

Analysis

Sharing