f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe

General

Target

f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
Size

15KB
MD5

fb205082e70e21514ee98e8040d1fe6e
SHA1

29f28814579538e7728f3ad954a680748fe7fba9
SHA256

f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe
SHA512

42fc42c1cb77c7b0025e58f47daa9f05134867f439eb9f0afa83c000ca0f485a4ea5bde906a53315310edb3fd809d4bf575958383f5065247f375efa6858685e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBfT:hDXWipuE+K3/SSHgxmMR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM48FB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM9F29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEM9C21.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DEMF30B.exe

Executes dropped EXE 5 IoCs

pid	Process
4940	DEM9C21.exe
2744	DEMF30B.exe
2732	DEM48FB.exe
2056	DEM9F29.exe
4600	DEMF567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM48FB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9F29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF30B.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4940	4960	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	90
PID 4960 wrote to memory of 4940	4960	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	90
PID 4960 wrote to memory of 4940	4960	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	90
PID 4940 wrote to memory of 2744	4940	DEM9C21.exe	94
PID 4940 wrote to memory of 2744	4940	DEM9C21.exe	94
PID 4940 wrote to memory of 2744	4940	DEM9C21.exe	94
PID 2744 wrote to memory of 2732	2744	DEMF30B.exe	96
PID 2744 wrote to memory of 2732	2744	DEMF30B.exe	96
PID 2744 wrote to memory of 2732	2744	DEMF30B.exe	96
PID 2732 wrote to memory of 2056	2732	DEM48FB.exe	98
PID 2732 wrote to memory of 2056	2732	DEM48FB.exe	98
PID 2732 wrote to memory of 2056	2732	DEM48FB.exe	98
PID 2056 wrote to memory of 4600	2056	DEM9F29.exe	100
PID 2056 wrote to memory of 4600	2056	DEM9F29.exe	100
PID 2056 wrote to memory of 4600	2056	DEM9F29.exe	100

C:\Users\Admin\AppData\Local\Temp\f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
"C:\Users\Admin\AppData\Local\Temp\f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\DEM9C21.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9C21.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\DEMF30B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF30B.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\DEM48FB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM48FB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\DEM9F29.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9F29.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\DEMF567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF567.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM48FB.exe

Filesize
15KB

MD5
7fba0ce9e16ff436560c618cbf9b75fe

SHA1
68d0b6fa85abe192c883d294c0b312a14ae74596

SHA256
0b353d165a24a98e7b42680d4b69c1dda5df53120f9994544ff3c3bbb29a7d62

SHA512
a2c854c7931eeb830f39df8399081b463fa5d2cf8f40a1ec6ac1875be469b2bb017abaeadbcb3a1469d7bec43dc10fe9874dc87b8d96b74e9b7e25eb8bc0f877

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C21.exe

Filesize
15KB

MD5
c2111300e1d083566c9d4242c5886879

SHA1
7387d22363699d4707f130914643c5c04b581f59

SHA256
28ac46cda3506d62989fb4acf47b34da6bc5584457a47e6da859ba95d5038b38

SHA512
5987821da216106975d5d8d6bf6011f5a97dd152f95a665b3931b104eb4b2add7c9a8669c701cce3b9953a51aec1295cae3f5e9298fc8e844d01ca61b2b7d946

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9F29.exe

Filesize
15KB

MD5
da2b84eb90029cd5313fe222f69dbbde

SHA1
c5847f77e12e9d7247faa3c63000e3d87adca9d6

SHA256
5a6a7a377e05d273650ac5ff912e74c282eb14dd0848fd0fa944720629358f2a

SHA512
242f5cef602dd01e414dd9de03d83d5a6d30eeaf5ec1cc3dce931b3d377b18517f124b351a411744517167123eb6a68e762dbfcafdbc84bdf5de7fa74501b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF30B.exe

Filesize
15KB

MD5
34851af98e800e2f37e6147602239fef

SHA1
e16e19e3c1c8338beea11d735f4bf47ac24b1444

SHA256
f14a53c5cf1797096836ffc2675f4e1fdbc1c7c34b3f067e8591211c4a08fd21

SHA512
a3fa72be8279100541b8164db95eda69ab7b2a47525f1f21e706bb3e4abb2df75118358db50bd4351c0656517c1d6e204de3993f202e6c2103aeb09113ac6e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF567.exe

Filesize
15KB

MD5
6af6409b588285998f4f753478cdedcf

SHA1
bb6195af74b609373949e8597d1d63d1a39b49e1

SHA256
372af7847fbe29683fe01f8f953a165d77e862f2f7011efe6cddc4f2b890cf2b

SHA512
164ad36924afa67ee8af22e52e985d3aca46ba615c26b2fb1eb7dd8d334548f8c45b2ece4e95ffe31814feadbde78300e8bcb796ff26f3724599e5f2a4c17d56

Download Submit

Analysis

Sharing