e7e8a720d61246617f207fc1d526cc02bdaee80a2edf8fa47725908650647289

General

Target

2493a1106394912af0c9d2ba70463030N.exe
Size

15KB
MD5

2493a1106394912af0c9d2ba70463030
SHA1

85557348b9c010959713d68f9415dd9988dcb9f5
SHA256

e7e8a720d61246617f207fc1d526cc02bdaee80a2edf8fa47725908650647289
SHA512

160309861c0faac008b3b149ac944e65a02f84862c475058252531054d609f384142179f5723e800d99e5336de40c9f4e8a29cb45bd01191097317ce198ff519
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlp:hDXWipuE+K3/SSHgxmlp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	2493a1106394912af0c9d2ba70463030N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM7B5A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEMD1E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM2805.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DEM7E05.exe

Executes dropped EXE 5 IoCs

pid	Process
540	DEM7B5A.exe
1228	DEMD1E6.exe
1064	DEM2805.exe
3192	DEM7E05.exe
2620	DEMD3D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2493a1106394912af0c9d2ba70463030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7B5A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD1E6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7E05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD3D5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 540	1648	2493a1106394912af0c9d2ba70463030N.exe	96
PID 1648 wrote to memory of 540	1648	2493a1106394912af0c9d2ba70463030N.exe	96
PID 1648 wrote to memory of 540	1648	2493a1106394912af0c9d2ba70463030N.exe	96
PID 540 wrote to memory of 1228	540	DEM7B5A.exe	101
PID 540 wrote to memory of 1228	540	DEM7B5A.exe	101
PID 540 wrote to memory of 1228	540	DEM7B5A.exe	101
PID 1228 wrote to memory of 1064	1228	DEMD1E6.exe	103
PID 1228 wrote to memory of 1064	1228	DEMD1E6.exe	103
PID 1228 wrote to memory of 1064	1228	DEMD1E6.exe	103
PID 1064 wrote to memory of 3192	1064	DEM2805.exe	106
PID 1064 wrote to memory of 3192	1064	DEM2805.exe	106
PID 1064 wrote to memory of 3192	1064	DEM2805.exe	106
PID 3192 wrote to memory of 2620	3192	DEM7E05.exe	116
PID 3192 wrote to memory of 2620	3192	DEM7E05.exe	116
PID 3192 wrote to memory of 2620	3192	DEM7E05.exe	116

C:\Users\Admin\AppData\Local\Temp\2493a1106394912af0c9d2ba70463030N.exe
"C:\Users\Admin\AppData\Local\Temp\2493a1106394912af0c9d2ba70463030N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\DEM7B5A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7B5A.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\DEMD1E6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD1E6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\DEM2805.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2805.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Users\Admin\AppData\Local\Temp\DEM7E05.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7E05.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\DEMD3D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD3D5.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2805.exe

Filesize
15KB

MD5
8571f0f1a9a058e132ffdbde8107a456

SHA1
90ec7a555a9056d667c02fa6aefcd7b33f1ef5e9

SHA256
53513f6f9fbaf6de3c8a55b12086704746a0d0dad53111a6a8271ada12f65c89

SHA512
e0b63fbe84b83238c2f84554b54b73cc4dd558b0c8e8070c59e4833ed992226ebda914356af09346e956c6cbc76f43731424c01a67be58d5c0b572d2604eb5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B5A.exe

Filesize
15KB

MD5
6fd3419bee254889cc92022bc1b1a1fa

SHA1
cfdd698989502134f205a6ea5492c0d11fff04ba

SHA256
892730c7dd7461579ca9d03e95da7b54308a99906c68b854a865caff2d281694

SHA512
c3f83309e51260c43937a5f217cb52ea2a11affda06fe80a62ed68cfe9a03533e8151c190ddb77e1fdd873e58402bbe5dec8e4aff10b579aecedd02c5ba33deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7E05.exe

Filesize
15KB

MD5
11ecf21583176baa82475f5c8e014ceb

SHA1
530f1af9ad7c732e3715f134a4312b7748143580

SHA256
53c36fbf7b4fe76ab43043ce47d8a005b61fc658020726d0d9fd18a7eb42316e

SHA512
d1591dfd09a0d8d6cceb5439ba6abaa54ebb839a1d9e90de66b998e5323ca7419dd58df1e3a827b6b32db321fe14b8a9a8e1529a0d71d187e8075f5588a0e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD1E6.exe

Filesize
15KB

MD5
843b0745abdc7fe28bc91882c38cb5cb

SHA1
4576667ac821a7cab1ee2ebbce1b5bd0a7122ce7

SHA256
bad725ca31b084f5bdc9ade92add6f7024f68443ae3243d5726f1f57d80a8a05

SHA512
7d5639728b833e14f52d1e51553c9c8a688fbc8106ef5f4bdfaa230382ffa29ff08f59a2e6229afff668b23eb7f2adec08e9860feea633b5bd7e8e8bbf499992

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD3D5.exe

Filesize
15KB

MD5
7ec4bf415fb1522e9cfa926be354b240

SHA1
cec345a68f3e8e448d2f2b9deff0ebabd41b7ec2

SHA256
85f278c60a58914d77179ed82365c7ebb14fd89cda8d53a049183b8e93d7931d

SHA512
27568c94d51b1835603836f981a051ff62bee2bf872cbeae0cc9b97a2d3434c501887e3bd1def20958a3714f1079ab3f50455470fc643d4b33ea08800629e828

Download Submit

Analysis

Sharing