911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9

General

Target

911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
Size

16KB
MD5

afcb33445de14f1df5c4ac93054b0f75
SHA1

e67c10c3b28fd6d8df1374f43b4874b62bbed0b5
SHA256

911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9
SHA512

7b858f7371705bce083c5cee32938a2006bcedad3399ff92ff023c22dd59014d8eada9ba8cffcae7b2a67c221af05bc07ceefb024411fb2b2b800397de901660
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9Mi:hDXWipuE+K3/SSHgxmH7Mi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEMAE32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEM4FC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEM5ACD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEMB0FC.exe

Executes dropped EXE 5 IoCs

pid	Process
4492	DEMAE32.exe
4392	DEM4FC.exe
3872	DEM5ACD.exe
2368	DEMB0FC.exe
684	DEM6AD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6AD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAE32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4FC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5ACD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB0FC.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4492	1488	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	97
PID 1488 wrote to memory of 4492	1488	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	97
PID 1488 wrote to memory of 4492	1488	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	97
PID 4492 wrote to memory of 4392	4492	DEMAE32.exe	102
PID 4492 wrote to memory of 4392	4492	DEMAE32.exe	102
PID 4492 wrote to memory of 4392	4492	DEMAE32.exe	102
PID 4392 wrote to memory of 3872	4392	DEM4FC.exe	104
PID 4392 wrote to memory of 3872	4392	DEM4FC.exe	104
PID 4392 wrote to memory of 3872	4392	DEM4FC.exe	104
PID 3872 wrote to memory of 2368	3872	DEM5ACD.exe	106
PID 3872 wrote to memory of 2368	3872	DEM5ACD.exe	106
PID 3872 wrote to memory of 2368	3872	DEM5ACD.exe	106
PID 2368 wrote to memory of 684	2368	DEMB0FC.exe	108
PID 2368 wrote to memory of 684	2368	DEMB0FC.exe	108
PID 2368 wrote to memory of 684	2368	DEMB0FC.exe	108

C:\Users\Admin\AppData\Local\Temp\911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
"C:\Users\Admin\AppData\Local\Temp\911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\DEMAE32.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAE32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\DEM4FC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4FC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\DEMB0FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB0FC.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Users\Admin\AppData\Local\Temp\DEM6AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6AD.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4FC.exe

Filesize
16KB

MD5
2d39b3c12009e88e0c2d56c0c6fb09a4

SHA1
8f307ff596af03c6476bc583adb5633883e20b4b

SHA256
b6aa27b91c824ca87997875ae97d12a063a7b93f464a8b75d8dc51def8e13b26

SHA512
ee59b3abdfd9ab67ef02d93e7840cb1454f4af2e797a100d4733e6b61679646ddce6e0d9eacb2b99da00e820cc3606780703741d2c14ec1807f35e4ac5952161

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5ACD.exe

Filesize
16KB

MD5
5bc46fe88bdf6ca390c4fca8e2633b50

SHA1
4594be555e9fb10f1fdd9480c9a8d37a7feba72a

SHA256
454414b6a36543aa326eca4d22bb99760787cc9a6685e9aed74b8b002a652356

SHA512
e6d0142ade9b2a161b9597c1db9e5cf4884dbeda52393fd7bc10b5d95eb69aec36e6f879610422e3c052ad8452093b999a27270022ba076f77e27f70ebc1db1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6AD.exe

Filesize
16KB

MD5
3eac3d65eef868ba4b63946a65bd42f6

SHA1
40a95701474123031f3b11e1530ce285556239c1

SHA256
f01d99083c158fe0469dc28c809620744c6f7699f727608901811eadf6452935

SHA512
d9d1118d3d51bbb51251beae27115607e28c680854b15116d1db47d1878f75effdca00aa970dea78cbde3617bc5009aadab14b604317df00ef847e32247254bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAE32.exe

Filesize
16KB

MD5
238e559d36d14ba1b34bc249fc3fa874

SHA1
1a27c17660a4ab8fc4faaad1522b7f8442d8b0c4

SHA256
c5e6644a74cb8d35c3dd9b34ca5e3d6fddb5f362963068ca3b898c3749d502f4

SHA512
438e57097b79b75851077832180b06d6cbab5de81d91ce18af807a469e7376a5e77bd137617cc1998808071d9b9d6cec0cb7478400235fa9101e8e0008fa5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB0FC.exe

Filesize
16KB

MD5
71196c744daed4b9147d1cd688cfca35

SHA1
c3c9cf48fdf4249084a2ca82fff6496ad7ca82bd

SHA256
5c94c4492d082d68884f4b4765178365077278cf73a0bc90a511659dc1c61595

SHA512
ea48bcfbea8af092f31950fed53d02e075aec2ef4fcee04a7a72a98ca675462c631d0f4f0aa70da05025167e7057a5dc33523fcce744ba15c105f71707a3082c

Download Submit

Analysis

Sharing