dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696

General

Target

dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe
Size

16KB
MD5

5bc7499870836d61789bb2afaa478927
SHA1

624536c54fdac65f6725c599830aae90582cde7d
SHA256

dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696
SHA512

cc57aa1b0744e0c03254949b36908d3ee9ce19fc79a09e80d445f25c5d3898fe1d5f373ce02c6290bb7093010d93ff5f3d625797bf2f4db5579e563036cdf151
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhU:hDXWipuE+K3/SSHgx+

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM8E60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM8A2F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEME148.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM37E4.exe

Executes dropped EXE 5 IoCs

pid	Process
4900	DEM8A2F.exe
4740	DEME148.exe
4524	DEM37E4.exe
1228	DEM8E60.exe
3960	DEME4DD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8E60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME4DD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8A2F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME148.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM37E4.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4900	3132	dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe	90
PID 3132 wrote to memory of 4900	3132	dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe	90
PID 3132 wrote to memory of 4900	3132	dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe	90
PID 4900 wrote to memory of 4740	4900	DEM8A2F.exe	94
PID 4900 wrote to memory of 4740	4900	DEM8A2F.exe	94
PID 4900 wrote to memory of 4740	4900	DEM8A2F.exe	94
PID 4740 wrote to memory of 4524	4740	DEME148.exe	96
PID 4740 wrote to memory of 4524	4740	DEME148.exe	96
PID 4740 wrote to memory of 4524	4740	DEME148.exe	96
PID 4524 wrote to memory of 1228	4524	DEM37E4.exe	98
PID 4524 wrote to memory of 1228	4524	DEM37E4.exe	98
PID 4524 wrote to memory of 1228	4524	DEM37E4.exe	98
PID 1228 wrote to memory of 3960	1228	DEM8E60.exe	100
PID 1228 wrote to memory of 3960	1228	DEM8E60.exe	100
PID 1228 wrote to memory of 3960	1228	DEM8E60.exe	100

C:\Users\Admin\AppData\Local\Temp\dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe
"C:\Users\Admin\AppData\Local\Temp\dd0fc85d791dfaba685aa5cc78829abddbebdde6468399d9d674c027a0eaf696.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\DEM8A2F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8A2F.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\DEME148.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME148.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\DEM37E4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM37E4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E60.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\DEME4DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME4DD.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM37E4.exe

Filesize
16KB

MD5
376c5636f14ac0c80671067470d819f1

SHA1
c3e8f7e55b17e157989e42cacf515a300586fb5a

SHA256
984e8db93766a75664185b198a499840ee2aafbed81a14f75d3d0dd5d007b8aa

SHA512
c3b5b368ec87b0ed7682f188fd1e20700668c70f1dd95cc223849b87580a3044c87cce8013f31d40e0cc809d280167aacdbfc61654ab6ca8be2ebc399a2fb41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A2F.exe

Filesize
16KB

MD5
be11efe9c3f4dd09dca03cd52ad513b9

SHA1
e566c843d55e1666469d64fa9b7a5a4d1fb7271a

SHA256
bc07a9a2465463b946b5c8bc23758b7e1ff129d358ea54349a23905aadc15b83

SHA512
e2a05e3d840071c2b0dc5c2801733df9e2169874243c58813315aa9a6ea770e30f1a3371abaae4982b2582821f8f273cfc04faed17481b7fca817ae52e28ffbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E60.exe

Filesize
16KB

MD5
bdfecdc86ec49a302b939d5a9f581312

SHA1
e42b307e4906bf4f52fc48e363dd66dbea8e32c4

SHA256
81f4ee548bc34faab09453f552d20ef8efe5e113a2c66da670dd649a8eaca5d9

SHA512
662b559c358e2f9e11af0eccdf162f90854b9fee97729dc631d361e2fe07fa85908d88f358d6d924207d58c8d6f1adef83af62d30ade4ef20ca9354f706359ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME148.exe

Filesize
16KB

MD5
21fce5eaa0d01343eea819071d293cfe

SHA1
fb372a414ae1af92f7e476ef90144429b7c62d43

SHA256
5466771bd4c4cde82478ce3ea9495a08463a3861a2afc9a83de6e562cbc45e99

SHA512
9ea6937323d0b895d3bfa8f8c93f118d0f25546272fec336c1d79ea19793207061073c67721e6d9433b34dc8dc27994001409ef3e5a3579caaf544bcfdd8bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME4DD.exe

Filesize
16KB

MD5
a07f8e9bfe08a58a8bb40e89f80df1a8

SHA1
a416e2de51d0d94d3166df8853dae2adc058e27a

SHA256
9595cf5c285a34678fdd6824a1caedbb0f269cd5d8f96c8b74982a2d40003c7a

SHA512
4156944484b6e8cc6cd84ae2021f5ae32f3121c0dcb58b12b70f9e0ddec14eb65de4daf3b4b9a5568cbf33992739f7702cf3055587f7337e957ad27e7b07794d

Download Submit

Analysis

Sharing