cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19

General

Target

cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
Size

15KB
MD5

6629599ca10416aa4d3d11c90e5d484c
SHA1

b7a1e5da97891bd15e73293961ab6107a4233cc1
SHA256

cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19
SHA512

4aa6c00250a90bd20e34cdebb44f5dca7f6d4d0199947b1db7fffac63a3084e25c80bf7ce7884cda29373c01c83e6e664adbe29537b0bddfd80c4f92c29543a0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RAnCL:hDXWipuE+K3/SSHgxfL

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM6E4A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMC4F6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM1B24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM7172.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe

Executes dropped EXE 5 IoCs

pid	Process
880	DEM6E4A.exe
2368	DEMC4F6.exe
2572	DEM1B24.exe
1520	DEM7172.exe
2668	DEMC7DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC7DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6E4A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B24.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 880	4520	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	90
PID 4520 wrote to memory of 880	4520	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	90
PID 4520 wrote to memory of 880	4520	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	90
PID 880 wrote to memory of 2368	880	DEM6E4A.exe	94
PID 880 wrote to memory of 2368	880	DEM6E4A.exe	94
PID 880 wrote to memory of 2368	880	DEM6E4A.exe	94
PID 2368 wrote to memory of 2572	2368	DEMC4F6.exe	96
PID 2368 wrote to memory of 2572	2368	DEMC4F6.exe	96
PID 2368 wrote to memory of 2572	2368	DEMC4F6.exe	96
PID 2572 wrote to memory of 1520	2572	DEM1B24.exe	98
PID 2572 wrote to memory of 1520	2572	DEM1B24.exe	98
PID 2572 wrote to memory of 1520	2572	DEM1B24.exe	98
PID 1520 wrote to memory of 2668	1520	DEM7172.exe	100
PID 1520 wrote to memory of 2668	1520	DEM7172.exe	100
PID 1520 wrote to memory of 2668	1520	DEM7172.exe	100

C:\Users\Admin\AppData\Local\Temp\cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
"C:\Users\Admin\AppData\Local\Temp\cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\DEM6E4A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6E4A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\DEMC4F6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC4F6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\DEM1B24.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1B24.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\DEM7172.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7172.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\DEMC7DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC7DF.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B24.exe

Filesize
15KB

MD5
cc86518295262ec81a95a161f0efe459

SHA1
1fecaacae76310f7ec273f4c3b8fafa83ef361a2

SHA256
e22630ebb202022d0916efc8009bb8cf2e5ec7dbed1802a353e3c3e965ca9164

SHA512
c0be5cec288b10a83c29cce73464c11e19c413e02f023cb39330ca05621fce2e0ba65be9705aba583e5a47374e932abdfd27cade4c82c6212930c78b90ea9e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6E4A.exe

Filesize
15KB

MD5
e52c9805c33d33b06c3781023c102560

SHA1
8650765c7594499fd05a749ea9af751489255f03

SHA256
49524290ee269e453cdc431f63870dd5861eff52aa8a7e38b89433203cd987a8

SHA512
5df16617b60801fc3463fdf8d4e2918ba7f2f7dd1ac5a59fee0d5f19adec04f3c9d312017428eff557a52a5c41ebc956ac7a5a079f000ab386b6ecbb7d25ffcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7172.exe

Filesize
15KB

MD5
07e5481e99e31fd6ab56061acbd2ba38

SHA1
4f795ff662aa0212b83b8644aa68576fb15a6080

SHA256
a677e80ffe4a89eda12ae5d0a0cd002096e268f2012e16fb1706f552e93cd9bf

SHA512
80b45ebb3fde456ddf8b9e871ff31d6bb179ea2a2be3128690044f82265c37fc3b75ac56454ab726ecd38cbf1c48fe81704d5ba1f10f1b9abe3b89d7e745e7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC4F6.exe

Filesize
15KB

MD5
82d5c6063a99cc89ca8976e64c4670bc

SHA1
2f2bddf99be362c44f57bda0c5c060981ca8ad7c

SHA256
7176b4a2e92cb14851a339dfd3b0d06ea469a3293a216b289591e4cd5a4d0df3

SHA512
2f8b267ace2f16a571b1bdf4bc9cc9b88b89a70bfc176b683f0915d298ead0deed2a02501fe30db5a907ec15e6b1190f4ffb1238d1c6f468ea740be289159c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7DF.exe

Filesize
15KB

MD5
ed68c27f9df3e02b803ecf64b035b31b

SHA1
9adc548bcf4aee818a072837916ce4ff5786cebc

SHA256
9c490049baae0d7b67796ade5bfddd7e2835f2f03f05bfc964910252837f5f02

SHA512
6d96fd6b23f940006b8964e5ad9d3bf894e0a392a28621db712fd9a8d33c8678bed5f1c1fdde655b01d5e175a5b49d3d158e16e3bb8406b0f1c438ed4b72bd1e

Download Submit

Analysis

Sharing