b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f

General

Target

b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
Size

15KB
MD5

8fc3a6721184dacfb86247d33398f5b8
SHA1

37e8b741e43465fe6e4416197380a274b81cb1a1
SHA256

b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f
SHA512

af10c4d75f73fb72554b624f57959350191c58fe81e3f9681ace6368940d0e2971819744ab9159c0dfb4b5412a3a2026549a53e66cd46db53a50a2cd70c4f692
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJkz:hDXWipuE+K3/SSHgxmlOc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEMAF2C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM644.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM5C83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEMB2F0.exe

Executes dropped EXE 5 IoCs

pid	Process
3676	DEMAF2C.exe
3604	DEM644.exe
1712	DEM5C83.exe
2888	DEMB2F0.exe
3436	DEM98B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAF2C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5C83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB2F0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM98B.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3676	3172	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	90
PID 3172 wrote to memory of 3676	3172	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	90
PID 3172 wrote to memory of 3676	3172	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	90
PID 3676 wrote to memory of 3604	3676	DEMAF2C.exe	94
PID 3676 wrote to memory of 3604	3676	DEMAF2C.exe	94
PID 3676 wrote to memory of 3604	3676	DEMAF2C.exe	94
PID 3604 wrote to memory of 1712	3604	DEM644.exe	96
PID 3604 wrote to memory of 1712	3604	DEM644.exe	96
PID 3604 wrote to memory of 1712	3604	DEM644.exe	96
PID 1712 wrote to memory of 2888	1712	DEM5C83.exe	98
PID 1712 wrote to memory of 2888	1712	DEM5C83.exe	98
PID 1712 wrote to memory of 2888	1712	DEM5C83.exe	98
PID 2888 wrote to memory of 3436	2888	DEMB2F0.exe	100
PID 2888 wrote to memory of 3436	2888	DEMB2F0.exe	100
PID 2888 wrote to memory of 3436	2888	DEMB2F0.exe	100

C:\Users\Admin\AppData\Local\Temp\b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
"C:\Users\Admin\AppData\Local\Temp\b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\DEMAF2C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAF2C.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\DEM644.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM644.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\DEM5C83.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5C83.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\DEMB2F0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB2F0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\DEM98B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM98B.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5C83.exe

Filesize
15KB

MD5
e7c63e565e4e5d5a0e9dbf2ab867f6cd

SHA1
cc6129fb8519e98514fb84ce9b54f7f8db6ff4df

SHA256
c0e142fbbe86d0af48c71530806ea7a7cee2a93c2877a20985fe6c718b7dde0a

SHA512
f658cd20e9d87ea4343247aa38de72569571fee6f0c85fb0f75cfb105993cd2d8f37aa124f9f4323f886cc96b27f0137ad435e71b0440c1bd897f8776fc2c1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM644.exe

Filesize
15KB

MD5
945a60d7f253cb75b8f0985c8282800f

SHA1
37f087f994a6454d8ad03fd2141747e4d58ce23c

SHA256
cec478915b0b19d0e900f93dca0d37fd00b6aa549dcb4c4bf730158b95500290

SHA512
771b520d1ee179ca9ab746103128ea34b7dac469f24b20f864259d8b0542d9bf6ba5dfb20ac170c7ca8cd46e3e4082631d02900d9b9aae67d4c234b3cb6f8a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM98B.exe

Filesize
15KB

MD5
0bfbd4c2889b46659c05c996e085b4de

SHA1
90431f14cce1e48da43f801fd48e2d349f65382c

SHA256
5405231c9b9acd4a33ea9c33b1b7399a7a334f8ee527f50a3cd950bd1ad6bcd0

SHA512
5df826df6a1b3d3da76024ed189575a7b29912519cc26744e68f0a566cdf953be54f3b3d2d244154a9efe069b832867069a49469217859b4d6b9db0c953ea95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAF2C.exe

Filesize
15KB

MD5
bcc319115073d5240a21ed300b122815

SHA1
03675a328201596d671f83354aee49a3cf9107c4

SHA256
278490096c9d7965772d77a7b68cae2a80ec1221a5fc5884af4748bb4f856dd5

SHA512
630e5644a66cdeaca97521625dcdd789b5d91652831424636c8d2a272acc26924bc80bbd389be733efe01e468b389d6a0aef8b5efd8b2f003b07682d1e4c4cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB2F0.exe

Filesize
15KB

MD5
64ca75c81fbe05b9be592fee9ad693d3

SHA1
6082aaba18b32e8d11c281f2d5ed25b4f9c484e4

SHA256
9223471b4f996fa97da612a4852a060061164f124503ebd47ac491592f32d7c3

SHA512
bf673c463afcde3176f651c7fbf7271c0f4674a85839596e831510a8a7263d9374f616e074b2d85d3bacc15f58ed6e3c89475ee64e4bea9db43ab75deb614fa0

Download Submit

Analysis

Sharing