ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056

General

Target

ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe
Size

20KB
MD5

d4cb9df25aa2a7eb7eaa2596a654c4a9
SHA1

2a4c557b463b08a3abbac8e1bed128ad8f9c8751
SHA256

ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056
SHA512

e0de67241c338f0512339e09c6d990e44f1ad6e146ab9ee042c8960efeda69aa958df9f4fc5fc5b9d53db7566f411d8adfe6e8667e6c178c209c6e13cab03f14
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxX1pWH:hDXWipuE+K3/SSHgxmH9k

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM7CFB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM75DC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEMCE8B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DEM2556.exe

Executes dropped EXE 5 IoCs

pid	Process
1400	DEM75DC.exe
1120	DEMCE8B.exe
3936	DEM2556.exe
4716	DEM7CFB.exe
4892	DEMD3D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM75DC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE8B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7CFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD3D5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1400	1064	ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe	90
PID 1064 wrote to memory of 1400	1064	ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe	90
PID 1064 wrote to memory of 1400	1064	ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe	90
PID 1400 wrote to memory of 1120	1400	DEM75DC.exe	94
PID 1400 wrote to memory of 1120	1400	DEM75DC.exe	94
PID 1400 wrote to memory of 1120	1400	DEM75DC.exe	94
PID 1120 wrote to memory of 3936	1120	DEMCE8B.exe	96
PID 1120 wrote to memory of 3936	1120	DEMCE8B.exe	96
PID 1120 wrote to memory of 3936	1120	DEMCE8B.exe	96
PID 3936 wrote to memory of 4716	3936	DEM2556.exe	98
PID 3936 wrote to memory of 4716	3936	DEM2556.exe	98
PID 3936 wrote to memory of 4716	3936	DEM2556.exe	98
PID 4716 wrote to memory of 4892	4716	DEM7CFB.exe	100
PID 4716 wrote to memory of 4892	4716	DEM7CFB.exe	100
PID 4716 wrote to memory of 4892	4716	DEM7CFB.exe	100

C:\Users\Admin\AppData\Local\Temp\ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe
"C:\Users\Admin\AppData\Local\Temp\ba67d8c4170a5952be6057aefc4a86584d781de234afb13c5dd20d1cf1bbb056.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\DEM75DC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM75DC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\DEMCE8B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE8B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\DEM2556.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2556.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\DEM7CFB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7CFB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\DEMD3D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD3D5.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2556.exe

Filesize
20KB

MD5
83751be853b150746c3878273b2ec459

SHA1
c46f60687a6d0693dd6b4ed51938d05ce8abe998

SHA256
37c91ebc07434762a7b6145818b37b9307cbdfa8bb1b14480ea9c85e5b8db58f

SHA512
3a3e1e22dad7b04d30258a4a6ad54c19839a59890e29aa93c13a0a13c4a0345087cefd9a066d57cc758babe6d8400ac9531d172bd44b05eeade432c30c4542eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM75DC.exe

Filesize
20KB

MD5
4f6a45526adfd48a974a0127fc38354c

SHA1
d55b89ea3f290593078191a08e63fde33ace1730

SHA256
eedbc4e0ca40a6e7022c84badfcf0fd2889b97b1adee488c19bac971bab835d9

SHA512
580b14e8386531f5bb9f74d4f799a624991541f3d32244a5eda55740e1f51f1d33111cb2cd818e259c89d3b4dfdec37c20025c959beaa86745516084a14e8c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7CFB.exe

Filesize
20KB

MD5
7e1d0e55a9552ff79789b3a203fbaad1

SHA1
1cebc5a641b8923004e58500e8079eee82ac94b2

SHA256
9f3980340a1f33d9beaca7b62f5c270b338763931df5561397e3aa30bb8b3046

SHA512
09c007410b6cc8bfcb5ba04582d99575700bcec819debf4de90acd1920bd69782d047dd31b1b837bfc744ca6b2d8a0c503c80b81fadcd39f6a694cfa25896d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE8B.exe

Filesize
20KB

MD5
3bacb7acaf283cab2bcf8732d686735c

SHA1
74616a6c9c010f1793d138a1733791e99cf058ad

SHA256
0df49825bea4c954bc62c78d3e40744af80fb4269ab51aecc8dd10679b16717c

SHA512
9d8598c163299a9b4a4995a99e17ac005cae87d682434b4e04bb955b0b598e529b764a568c0fd3c514ca4fbb053573ccb930a565edd8d2d724e5fb6edf4f40dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD3D5.exe

Filesize
20KB

MD5
e326308edf1012be6981c3576f7b0354

SHA1
9682399d0a4d1959c01c91d2164bf5006b70aa88

SHA256
2504adef05645b0ea3ee5d61d83fcdb8fc860344d753311699efb92f3c026842

SHA512
d60a75fb47d98dd645454d888480fac589dd1442df3d568d57dc1ad88257145d64f25caa2c1b2daf828db6cff3686cf33c5cb075dde52cda33f734e7d66530de

Download Submit

Analysis

Sharing