9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364

General

Target

9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
Size

15KB
MD5

024d871e89de6d7bae0bc5f789ecc307
SHA1

9f37d09241f4c117150ecdebf48523b0388b1dab
SHA256

9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364
SHA512

7dd8995eb96312b999a2ab6c972508f324920884f22dabc9de2f661156a3d9a61427fe4f3eee03cba527c9bbf31b6a9b23dc6c97cdba72058c3cd9db3918182d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEvzM:hDXWipuE+K3/SSHgx4zM

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM7C73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEMD3EA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM2A57.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DEM8122.exe

Executes dropped EXE 5 IoCs

pid	Process
4832	DEM7C73.exe
884	DEMD3EA.exe
548	DEM2A57.exe
1812	DEM8122.exe
3356	DEMD7CD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7C73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD3EA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2A57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD7CD.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4832	4812	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	98
PID 4812 wrote to memory of 4832	4812	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	98
PID 4812 wrote to memory of 4832	4812	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	98
PID 4832 wrote to memory of 884	4832	DEM7C73.exe	103
PID 4832 wrote to memory of 884	4832	DEM7C73.exe	103
PID 4832 wrote to memory of 884	4832	DEM7C73.exe	103
PID 884 wrote to memory of 548	884	DEMD3EA.exe	105
PID 884 wrote to memory of 548	884	DEMD3EA.exe	105
PID 884 wrote to memory of 548	884	DEMD3EA.exe	105
PID 548 wrote to memory of 1812	548	DEM2A57.exe	107
PID 548 wrote to memory of 1812	548	DEM2A57.exe	107
PID 548 wrote to memory of 1812	548	DEM2A57.exe	107
PID 1812 wrote to memory of 3356	1812	DEM8122.exe	109
PID 1812 wrote to memory of 3356	1812	DEM8122.exe	109
PID 1812 wrote to memory of 3356	1812	DEM8122.exe	109

C:\Users\Admin\AppData\Local\Temp\9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
"C:\Users\Admin\AppData\Local\Temp\9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\DEM7C73.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7C73.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\DEMD3EA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD3EA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\DEM2A57.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2A57.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Users\Admin\AppData\Local\Temp\DEM8122.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8122.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\DEMD7CD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD7CD.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2A57.exe

Filesize
16KB

MD5
ebafd6d4bac0b4a587238ac70d07ba04

SHA1
72f9733dec9e96b04f89ec70581a84a7292d3033

SHA256
294e37da360be9e70749b597f7bcdc8e6a60e1680e8c1f9f340c1c968e93ddd1

SHA512
7ae92e5f1b00d2ef710ef72622dcb5f6bba3a10bd7d661374994326be7974ced18bff473edfc9ff2c47cc20a164fea2307c5925f22648d669d788de120d23b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7C73.exe

Filesize
15KB

MD5
de73bebaae673254b39830382696f94c

SHA1
8620486c141f81ee3f7fb153bbfe50ebc8189e81

SHA256
e46fb27dc5066182f8e4c49a19867e9892288cd24dd9fa693ac6ef82805d93cb

SHA512
2e3cf111b9ce992c619524996962c93ed0b4ebb1a42eca454b57858df2ddac581d47f81b9b8064bcef51dfbc88b90938f8bf179b496274e5cf4dbca3885640e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8122.exe

Filesize
16KB

MD5
24ce405fee9bf017390b4d0d0cfaf3b9

SHA1
07afc2fe87488e771f30ee043284587c21465ddc

SHA256
5fa4cc97e274cc980c8762b2760addf5a7ae7a7c87592cb86c4e91d45afacc19

SHA512
51fde1e1e3602ae7801c93a7f64e1b590c38883a7194817ce304ee43b873328398f7c3a68af943940f62af6676db05be073b7e2aefcc952635371e055f533175

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD3EA.exe

Filesize
15KB

MD5
8da4a3251fd9ba7703a14a42ca7177ca

SHA1
531699a12107a49687f11ff4e83a65067541b64a

SHA256
b0d86025faa1bde50718a025455278dba5360fa96914f4cdf5ad5341ded34f7c

SHA512
f381765acc5754f9e322a96d9eec6ecb4695771cc5105e60b5f90b90a597438b33cc6109d53517fcca516aff72cfc340c34de203fbd847adb89986b649d84317

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD7CD.exe

Filesize
16KB

MD5
60839b07944d48623d75db73a46130cd

SHA1
95ce32af3abc99abc033aa2922c2eae544efeb98

SHA256
a569b5b050dd06a429f813cf5d03239274baac90416d1372fac2acbbbeb39034

SHA512
9e069137d5b4ace2079bfdf03237086b0140cc9f66a42a01580b2eccedbb7a7e901ef063a9f1a998009996633777ba2999558a86bc430b1046fdae6788b75fc4

Download Submit

Analysis

Sharing