20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12

General

Target

20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe
Size

20KB
MD5

61fe00f3330bf6cb21eae87a60cd0309
SHA1

f56385c05594c4471652ceb0e40950f7bf3b60cc
SHA256

20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12
SHA512

8c2dd94954f6654fcccf09aaca41c9e215bfe510bf5389648199323075f719d3cf84930888d18e8fec690aea73048e86b3bd0ae893631003635b79e0d9c8f56c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlOS:hDXWipuE+K3/SSHgxmlb

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEMB93E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM1047.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEM66A4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DEMBD21.exe

Executes dropped EXE 5 IoCs

pid	Process
2344	DEMB93E.exe
2656	DEM1047.exe
3108	DEM66A4.exe
3588	DEMBD21.exe
4928	DEM138E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM66A4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBD21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM138E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB93E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1047.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2344	2024	20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe	97
PID 2024 wrote to memory of 2344	2024	20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe	97
PID 2024 wrote to memory of 2344	2024	20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe	97
PID 2344 wrote to memory of 2656	2344	DEMB93E.exe	102
PID 2344 wrote to memory of 2656	2344	DEMB93E.exe	102
PID 2344 wrote to memory of 2656	2344	DEMB93E.exe	102
PID 2656 wrote to memory of 3108	2656	DEM1047.exe	104
PID 2656 wrote to memory of 3108	2656	DEM1047.exe	104
PID 2656 wrote to memory of 3108	2656	DEM1047.exe	104
PID 3108 wrote to memory of 3588	3108	DEM66A4.exe	106
PID 3108 wrote to memory of 3588	3108	DEM66A4.exe	106
PID 3108 wrote to memory of 3588	3108	DEM66A4.exe	106
PID 3588 wrote to memory of 4928	3588	DEMBD21.exe	108
PID 3588 wrote to memory of 4928	3588	DEMBD21.exe	108
PID 3588 wrote to memory of 4928	3588	DEMBD21.exe	108

C:\Users\Admin\AppData\Local\Temp\20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe
"C:\Users\Admin\AppData\Local\Temp\20bee61f6fed1c98754ffbd7debf7ed4d3f7ecff33277761006f1bf83dcf9f12.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\DEMB93E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB93E.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\DEM1047.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1047.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\DEM66A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM66A4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\DEMBD21.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD21.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\DEM138E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM138E.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1047.exe

Filesize
20KB

MD5
ac0332b28ebbaa450c0962f89bcd364b

SHA1
7814d66fa68bc180d163d36147b492a54752f0b8

SHA256
28aa96ee16a5901bb06bcf83c91abcecca062ab9701ed9079febc2b003a9b3a7

SHA512
9518568e81ad6a6fac69ece1bd08f2449e62f7c2b665055e1b8716975f1543ed7343ecf1f996c350b5fb487b7910c9586d17d0e551274bbb16bf21ab1f2ba9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM138E.exe

Filesize
20KB

MD5
639d891db13248826636272ae1323d97

SHA1
074a4c9d7870ff3e3adc9a9645a90d1c2bc864dc

SHA256
8455849866e3bcb3c97d8f4a57817f30e3592843ea04486f63b83fe441f02a0e

SHA512
3decab5cc2fba139b49d06bea21c1c2d2a03e219fa4e3a130d799b88030082484dc8c11b72bd7b57c12bb15cd516a0ae81dd1bd8365cbdb77cd359fdad523329

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66A4.exe

Filesize
20KB

MD5
11a60a7390d921ec3e22194433c8a30d

SHA1
6bb913a313f19e215eb49177b2720610d0dbde59

SHA256
0fa1954619b4ea55d798a949c1fbf826461699ff6fb38e46ca6e7dce2a64c87b

SHA512
674fb0700d5796c8deeb1e373f53a0cc33a2445388949e0079747b9d15ae13576bb480e8fae0a4fe6638705a04c922f7e5a3873d9a78556c3f1b9ecc1ae3bcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB93E.exe

Filesize
20KB

MD5
9961fdf5d9666457f8fe053dc758b3fe

SHA1
b4f795bcf23ea6861f12c47f28f4f5d8bcf691e3

SHA256
078696c62d5798d82c11f556f01dd7879912e2b267cc9e8ff75e7a4341b36c67

SHA512
aee93e26cd8936671569269d33b1262c24a1e27d440dc4df453ce24063dfbc4a9efd5c4dce659a5709aa9924539ecf72ed7a2efbbdd80210005adb3379077997

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD21.exe

Filesize
20KB

MD5
c6a1e2dc4ad48e440f41b06673c1cabb

SHA1
d2cb920118bf77a179d0852c38e18f22f93a30db

SHA256
f7a3dee4eada2ed1f345c4765800e70507e3ef5fe6893032b1c97aa984dc4c9b

SHA512
76372e496e33ccb1de3cf7cc0111ebe2166077a70a3fa18a021e8dbaf9dd01f32434bf05b906f09c5c1c727b96192989448768a06f02efef25cef896c36bb2d1

Download Submit

Analysis

Sharing