a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344

General

Target

a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
Size

20KB
MD5

b67c39f7c15c7cda906350be13ec4c02
SHA1

94ca8a6416ee18c5edfd45eb52532f7c420a701e
SHA256

a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344
SHA512

60ed0a9a9432e12e42684f490d0f61098aff7b43cae5657c899373bef4448ace93eb3e35f0926746cb1af7e03da5bea59f16e6138bd3efcb7f39554a43f7409b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L45t:hDXWipuE+K3/SSHgxmHZb

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM9913.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEMF0A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM4793.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM9E2F.exe

Executes dropped EXE 5 IoCs

pid	Process
1220	DEM9913.exe
1004	DEMF0A9.exe
1756	DEM4793.exe
1312	DEM9E2F.exe
428	DEMF548.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9913.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF0A9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4793.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9E2F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 1220	4596	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	99
PID 4596 wrote to memory of 1220	4596	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	99
PID 4596 wrote to memory of 1220	4596	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	99
PID 1220 wrote to memory of 1004	1220	DEM9913.exe	104
PID 1220 wrote to memory of 1004	1220	DEM9913.exe	104
PID 1220 wrote to memory of 1004	1220	DEM9913.exe	104
PID 1004 wrote to memory of 1756	1004	DEMF0A9.exe	107
PID 1004 wrote to memory of 1756	1004	DEMF0A9.exe	107
PID 1004 wrote to memory of 1756	1004	DEMF0A9.exe	107
PID 1756 wrote to memory of 1312	1756	DEM4793.exe	109
PID 1756 wrote to memory of 1312	1756	DEM4793.exe	109
PID 1756 wrote to memory of 1312	1756	DEM4793.exe	109
PID 1312 wrote to memory of 428	1312	DEM9E2F.exe	111
PID 1312 wrote to memory of 428	1312	DEM9E2F.exe	111
PID 1312 wrote to memory of 428	1312	DEM9E2F.exe	111

C:\Users\Admin\AppData\Local\Temp\a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
"C:\Users\Admin\AppData\Local\Temp\a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\DEM9913.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9913.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\DEMF0A9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF0A9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\DEM4793.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4793.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\DEM9E2F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E2F.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\DEMF548.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF548.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4793.exe

Filesize
20KB

MD5
32740af4c91c7c022712dcc4602e3101

SHA1
85a97a27edf9247c6c7c84df1827b18d322de173

SHA256
d6366a135a2433e71f707ec1a06b64729143edbe94d268a85bcbe3fee2bbe91c

SHA512
41b7153b1031f17a3954900673375b350599ca8febfc9707179ffcc5f1aa8a72bbbf7021c3a139f1f8a629c247935613dd98d6346897c826c4da095226fcecab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9913.exe

Filesize
20KB

MD5
577491f5322e7008f5f160d2d9324df5

SHA1
bcf4b669ed4b7de7ee3f050c038a4e5273ba0ef8

SHA256
a85feea2c975026d261308b23a03441f1514d19a82cb2d3569269d0d4d0e849f

SHA512
37365ccb4cf588e768720d0f4aa520ccad6dc2f5d010c07fda7bb725ef7ebc587d51b1cbc19cdd5851440d4b881615d35ba0e9aa06d318499ae7651fe901f6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E2F.exe

Filesize
20KB

MD5
b4fcb83bad1ebbeebcd084e2fa2a4c98

SHA1
5b6aaab9662be65bc4a7e9a393c65612f919637d

SHA256
d671ea3fb67e88d92166081e55f769bdb6917e8186bc012430af735fa7cd604a

SHA512
ba9de28bfe9cae94173f1194b4a9f1a6ec232ede7eb9a7bfeecb9c05b999ce1d5c4e8197dbb69766bd3e6e040c0358f7abca92f90a7465c77a230d0263316259

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0A9.exe

Filesize
20KB

MD5
7c645253f1bdbb6b2507bdaef25d3374

SHA1
81fbc05f40f39bb9e15d2f525bdb2bff9f70687b

SHA256
d08f52726793fa22000c13729cd2c0bc569293aaa3bbb4139a10712c8f394f40

SHA512
415ea6704f80e4b296bd29fab8cd577372fd938e8db02ca5fcc2dc34816cabdd928831bd8706c1a4169a564d9eaeedcb3f394c28b3c2e85c45d461ae077e7b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF548.exe

Filesize
20KB

MD5
6b2180151520fee720e3fc301d1a99b3

SHA1
5590312569f0435142fe561a409ef802dfe8cb8d

SHA256
e8ff48ad41ece6cc62854b60fe176a7f08265ca68fed7fc8f74519946f2d2070

SHA512
3b40fd6c1113fb4cb93f59213aced990c5e624520fff043813e23748e80c068684070882d2427b081b7cdd4d9bc4ba6f7413ef392c6aff063b42e61a385bafeb

Download Submit

Analysis

Sharing