6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082

General

Target

6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
Size

20KB
MD5

37183d88788877845452eae449b3cdc0
SHA1

9dca424788a0670017ae4a69ef545697364a2789
SHA256

6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082
SHA512

be201b602003ad4485b32f569cbe8351c77f6fdcb2e2b73c3df827305dc483cd86440374abafae768077f063e4a6c3e28098cd1458d824f773a72ae7eae8f144
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4ogeX:hDXWipuE+K3/SSHgxmHZoBX

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM3EE8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM9546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM9172.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEME86C.exe

Executes dropped EXE 5 IoCs

pid	Process
4564	DEM9172.exe
2268	DEME86C.exe
4448	DEM3EE8.exe
1228	DEM9546.exe
1136	DEMEBA3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME86C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3EE8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9546.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEBA3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4564	2680	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	90
PID 2680 wrote to memory of 4564	2680	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	90
PID 2680 wrote to memory of 4564	2680	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	90
PID 4564 wrote to memory of 2268	4564	DEM9172.exe	94
PID 4564 wrote to memory of 2268	4564	DEM9172.exe	94
PID 4564 wrote to memory of 2268	4564	DEM9172.exe	94
PID 2268 wrote to memory of 4448	2268	DEME86C.exe	96
PID 2268 wrote to memory of 4448	2268	DEME86C.exe	96
PID 2268 wrote to memory of 4448	2268	DEME86C.exe	96
PID 4448 wrote to memory of 1228	4448	DEM3EE8.exe	98
PID 4448 wrote to memory of 1228	4448	DEM3EE8.exe	98
PID 4448 wrote to memory of 1228	4448	DEM3EE8.exe	98
PID 1228 wrote to memory of 1136	1228	DEM9546.exe	100
PID 1228 wrote to memory of 1136	1228	DEM9546.exe	100
PID 1228 wrote to memory of 1136	1228	DEM9546.exe	100

C:\Users\Admin\AppData\Local\Temp\6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
"C:\Users\Admin\AppData\Local\Temp\6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\DEM9172.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9172.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\DEME86C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME86C.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\DEM3EE8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3EE8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Users\Admin\AppData\Local\Temp\DEM9546.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9546.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\DEMEBA3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEBA3.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3EE8.exe

Filesize
20KB

MD5
c181312c0c9ad294208c05282d8aa958

SHA1
bab5c64f318dd1eb0abaae71dad16916e34e3696

SHA256
740ef1d10b837483204a458607b72eabe3c36024b372a260bd4202b57b725f96

SHA512
f74da8d97f31d4491aec314dc068bb7a56757522eeadf0c8f4b6194c1a9e38d439851f74fabaaf33ed2a7b5e984bbf4e8fd36100c5e5bd8401205f5c5650fc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9172.exe

Filesize
20KB

MD5
24bfbbc9fd29ec17192d3cafd51cf3a8

SHA1
afa7cc56a925b7249052d304a825674b06e925ba

SHA256
d595c118b59d91d963eaf889b321014b2788365fd547e6de212c09957d39dfe0

SHA512
ad22af68df1f1ccb1e59fed5465309d721d90854691221662d4ba38b149c77b6f61f815ce8dca811abd9c9a3217da1e603e50a163325c01a07bafc23b16ce2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9546.exe

Filesize
20KB

MD5
79c507acc9e170fe264467ef541c1d3c

SHA1
2e3821d74bce85d202e532a250c1b0a5e4cc4f40

SHA256
9a17aefb7f8f6f6c7fe244350bfec599bbcb8465d98f44f4d109dff3e5e6ccd4

SHA512
0b946f579e06d05de98f0880523f4f207e217319ba2770e7f9c0d7a8390365f5f9d4da38ce1d499dc967dea9389600e74bd818efe15743c23ae85126f2cd9755

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME86C.exe

Filesize
20KB

MD5
6ff0538f26e43a190041d460a18fe938

SHA1
911301311f9cc46079bbb44987615e1c51cdf6d3

SHA256
71d521cb7f1b7af169d59fef390bea84289e44031ca2959a9178b8a88c87869f

SHA512
01551cbb5346a504d8131b196e21fae73f196ddd772a74d07da6c7fd06eec4ccacbe30f7d47063f58000bf72be1ce101863eb2eb6e9ec25f464d5714e12458a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEBA3.exe

Filesize
20KB

MD5
a8de773d4125fc03370491b76dc668d9

SHA1
6d96fcc053e1d1113c888075b833c42f407d0d2b

SHA256
e5fcb1a60b30d665fc7f65c9b17f242241a8b0c58351b3b590ccd9f3d268b3fc

SHA512
aa213c6e4b9f60be00dab8c343fac70b1a3cbbfdeba9e7abe7414716566343b04c3f67541db8f64297e3842c0d9cd787df43f06e0086cc9f5bc661ae8c78a936

Download Submit

Analysis

Sharing