ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc

General

Target

ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
Size

16KB
MD5

983515418035e4187a24b29bd92b6350
SHA1

2e0080c0d5bca7e30d57af5349032d30c57112c8
SHA256

ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc
SHA512

9e740ede70e6ea0334c83be6e457f9df7c035f2c04cec093deb600f61c1d5abd27eec27d7a82cd4625f99303c8e0eeaa18e9ac4125d3e50dafbb2f364f2910ea
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh3T:hDXWipuE+K3/SSHgxV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM2110.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM774E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM7494.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMCAE1.exe

Executes dropped EXE 5 IoCs

pid	Process
720	DEM7494.exe
2384	DEMCAE1.exe
3160	DEM2110.exe
1384	DEM774E.exe
4392	DEMCD9C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM774E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCD9C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCAE1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2110.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 720	3908	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	90
PID 3908 wrote to memory of 720	3908	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	90
PID 3908 wrote to memory of 720	3908	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	90
PID 720 wrote to memory of 2384	720	DEM7494.exe	94
PID 720 wrote to memory of 2384	720	DEM7494.exe	94
PID 720 wrote to memory of 2384	720	DEM7494.exe	94
PID 2384 wrote to memory of 3160	2384	DEMCAE1.exe	96
PID 2384 wrote to memory of 3160	2384	DEMCAE1.exe	96
PID 2384 wrote to memory of 3160	2384	DEMCAE1.exe	96
PID 3160 wrote to memory of 1384	3160	DEM2110.exe	98
PID 3160 wrote to memory of 1384	3160	DEM2110.exe	98
PID 3160 wrote to memory of 1384	3160	DEM2110.exe	98
PID 1384 wrote to memory of 4392	1384	DEM774E.exe	100
PID 1384 wrote to memory of 4392	1384	DEM774E.exe	100
PID 1384 wrote to memory of 4392	1384	DEM774E.exe	100

C:\Users\Admin\AppData\Local\Temp\ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
"C:\Users\Admin\AppData\Local\Temp\ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\DEM7494.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7494.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\DEMCAE1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCAE1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\DEM2110.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2110.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Users\Admin\AppData\Local\Temp\DEM774E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM774E.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\DEMCD9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD9C.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2110.exe

Filesize
16KB

MD5
52f21618fc18b39344a9e5dab7e7800d

SHA1
d099150e23b8ef3738e7a140a0819c0a3f4194a1

SHA256
ea17f7d4df83ef476b5178947e9872c7e1c921db3bbe7bf729e68e4a3b05671c

SHA512
04d64e1d85e453c990942ad90a39e68290d6ba301cd1a86b5652a7b2600c466c4bcfbfda2fd951c99c78466c2e8fd213f01b3507b9e668b634652f3791f7293f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7494.exe

Filesize
16KB

MD5
1cc645ad2ba4525d24cdf754268b84e8

SHA1
1f4b466aff2c0fa91d1e1e9adcee6dd96536bde2

SHA256
05128b301cac0b9ba732cc89833dce5139d4446ff197dee7ae8c498578348f6f

SHA512
f8a986e236a239b995001ff56dc08d36c3bcbaf60a519dd3211f264a0789a0ddd2d41c397dfab8e681341a1cc6f8cbb1df0ef8dec9189607bd8c6c89624acd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM774E.exe

Filesize
16KB

MD5
975bd03596ce3616423dd06ac6599441

SHA1
1b522bbde65a39402e41eb492188bf8a742f5d4d

SHA256
ad0e720927b55dba09fa7bacaaaa57ba931251efcd628a3982554d48ccae129a

SHA512
127a4b869de73e818e9bca14fe597022607f85498e3c2aa427f6db21da7f75003bc5652792e0007cc45a5336fad08d40ae893325ce02f25f02acc54d5d3f731d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCAE1.exe

Filesize
16KB

MD5
39640faeaed9caa895b0146d855f77a6

SHA1
2c9dbf210b745ac2a3c4e60cbcabb5202bb65648

SHA256
8d36cefac2000fd3627231f09e44f4fb9f8b989745c2b9ca43f142858babf787

SHA512
9a51f977a6704eefdb056725b88d63fd069225a59124fa9f7ce72eb8d3f5fba2676a265860acad65e1deaf94b1730cadcd5b92e5439ef657ac33d54cf0d15df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCD9C.exe

Filesize
16KB

MD5
e8d00eec3cde939e71e5f27d386e1d56

SHA1
b9eeaed65ee2d82e63aec1aed945032e228aecfe

SHA256
1090170a97811dd7f4140053e77b5ca22dd3008461fcabc56b963523e4236574

SHA512
cb44ee9dc66fe7e781359554e99c94ec683fa01936eb8418aefe5bfb9136e39f66af8f29c9516db833d86f3017a4cbfa7567d05aa4bc72cbbdfcf51d3d7868fe

Download Submit

Analysis

Sharing