8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1

General

Target

8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
Size

16KB
MD5

98665a7df8a6deed28eff6c6cc856e7e
SHA1

3df80212cfca6d98a4ec48c4224a097ab97fe30a
SHA256

8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1
SHA512

684291cbd8c88bda833b69a3b1be4c182b589f616e5fdf0ca645eea56c07b8423f48da0163b760bf55317206c0dc40a47bbe57fb9d000bae395f31183f46270e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fg:hDXWipuE+K3/SSHgxm0W

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM82F6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM7F03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEMD5FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DEM2C89.exe

Executes dropped EXE 5 IoCs

pid	Process
1868	DEM7F03.exe
904	DEMD5FD.exe
1176	DEM2C89.exe
2376	DEM82F6.exe
2616	DEMD915.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7F03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD5FD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM82F6.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1868	1684	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	96
PID 1684 wrote to memory of 1868	1684	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	96
PID 1684 wrote to memory of 1868	1684	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	96
PID 1868 wrote to memory of 904	1868	DEM7F03.exe	101
PID 1868 wrote to memory of 904	1868	DEM7F03.exe	101
PID 1868 wrote to memory of 904	1868	DEM7F03.exe	101
PID 904 wrote to memory of 1176	904	DEMD5FD.exe	103
PID 904 wrote to memory of 1176	904	DEMD5FD.exe	103
PID 904 wrote to memory of 1176	904	DEMD5FD.exe	103
PID 1176 wrote to memory of 2376	1176	DEM2C89.exe	105
PID 1176 wrote to memory of 2376	1176	DEM2C89.exe	105
PID 1176 wrote to memory of 2376	1176	DEM2C89.exe	105
PID 2376 wrote to memory of 2616	2376	DEM82F6.exe	107
PID 2376 wrote to memory of 2616	2376	DEM82F6.exe	107
PID 2376 wrote to memory of 2616	2376	DEM82F6.exe	107

C:\Users\Admin\AppData\Local\Temp\8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
"C:\Users\Admin\AppData\Local\Temp\8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\DEM7F03.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7F03.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\DEMD5FD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD5FD.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\DEM2C89.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2C89.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\DEM82F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM82F6.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Users\Admin\AppData\Local\Temp\DEMD915.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD915.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C89.exe

Filesize
16KB

MD5
8e14954252067cdd3ab7f047bc92ce26

SHA1
3324a55e4fb516fd800c17908f3d46a8d55b6b04

SHA256
4adf9cf99ff232d59586d3eddd5b2a5ffeea1045c13dd1ceda0eb2c6128b6e74

SHA512
b13c7ef2165227a74b5624e9292138d1db1f2b40a362d2947d80c7737bc7645dc2a3111c02269b8b6f1a3f7ac6309489513270a48801afdd2d9a1136f6ac733d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F03.exe

Filesize
16KB

MD5
1bc4326c08d390bb598f664eafa13160

SHA1
4779aac2f59ed65617bec0fa19f2333c31d9384a

SHA256
e35bcb5fd22abbfd69bd02787d20d49aa20601270da6949ced44db63b36a7f7a

SHA512
fb54970d001e3107ed19c439b5eb38bc9bcc96623ac6c51d12e7b72fffef0549bad0ad190e061df4800ef5c8f1bae851d2c33a659ec513ab3f58c00ed4a52bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM82F6.exe

Filesize
16KB

MD5
9a83d2386c5bf90506fd703c641bf12a

SHA1
667055617f6e455fef89fe59d5678dcb234988f2

SHA256
7e38eac53c80a8295757811edb7180461a30fe78c89149b22193fbf14d7b663b

SHA512
40b6a5fd9b744b9d685475ef8c9c080cbbce53458619b02ac3360a4ac81b0c2b46067871c3725ee59a9654f4b056518da86942bb51c7c395fadbf13cc5df549c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD5FD.exe

Filesize
16KB

MD5
434b20b64305d4a4c9ac647a4141595d

SHA1
d6c5ab16d7dcad2aa5ecded25a688f3842296095

SHA256
9ac548473b6e922631b208a512bba77c8631632b54ff5c2a08c04f37b2661652

SHA512
630c33743555048f0e1733c01311debe779d0d2d8385b037c47b369b990d6774e4eb4d817c4a592a8b200973cf20e2f4a920ac09e471e20640821084cc4cc43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD915.exe

Filesize
16KB

MD5
ffeb96aecaabb62fe005c75443b69280

SHA1
73197344993eaf3a22cae8e2da8efcdf6e31f868

SHA256
efd2356e651fc55c63e9fbaa24996f26c439a3ddb47f1f168c31c60159c8ea56

SHA512
f0ae13ffedde616c04f1e8617e825e8b1c9601b9ea598ab1df7490b2fe7c0df1684bde348138894799825e4f1206bdffd9f5e300b7ba12899e63aa3483bddd0b

Download Submit

Analysis

Sharing