2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910

General

Target

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
Size

14KB
MD5

e7c70672e3b39c7777473504230b91a2
SHA1

5c178c7473200dba16b4ee4fe614392239e9c1f0
SHA256

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910
SHA512

0f688bdd21e01b3cfcfa2b784f12c968c4e1d5c7b5e934bae0ef0a58727fe406052b4c9f17eda66b3c983a9922c009480c7c71df98211502facdccbc38ea4062
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiiTz:hDXWipuE+K3/SSHgxLiiTz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe

Executes dropped EXE 1 IoCs

Processes:

DEM8CBF.exe

pid	Process
3032	DEM8CBF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exeDEM8CBF.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8CBF.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe

description	pid	Process	procid_target
PID 3336 wrote to memory of 3032	3336	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	97
PID 3336 wrote to memory of 3032	3336	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	97
PID 3336 wrote to memory of 3032	3336	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	97

C:\Users\Admin\AppData\Local\Temp\2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
"C:\Users\Admin\AppData\Local\Temp\2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\DEM8CBF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8CBF.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\DEME33C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME33C.exe"
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\DEM389F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM389F.exe"
      4⤵
      PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\DEM8E02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E02.exe"
        5⤵
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\DEME375.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME375.exe"
        6⤵
        
        PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM389F.exe

Filesize
14KB

MD5
e4653ee23ff9320715d3e0987ed58978

SHA1
9b3f4d105f0fa2dd2e36b5623c26db01581d0980

SHA256
8ba0a7d2197b07a53daa06f0031995412ef1dd3c0a41482616572b55d8209102

SHA512
933bc0e2707e8ac0493c5d7facca19089199689c9286045a751bd8f0ccce4c70589519c454b4426f306a36e823c3da8d1984b2139e5ed7a5b477764d49ea0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8CBF.exe

Filesize
14KB

MD5
1801a4ae4002a41f3a30cedfe1b1408e

SHA1
a9af6b6942377cebf365cd3bc7b02fa0eb85d13b

SHA256
74fa5d7a241b0c49afcbde959753da119b465bbbb25b60da89a1ef236b11e521

SHA512
b4ec20d9211b6eed5fce34a182c838771c2492ca3864f495fff9f863660e7f6cafb782c02d4e10692b16a840a21a484b553ad9b0216c6639123a00e672f4e157

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8E02.exe

Filesize
14KB

MD5
19122537fea9a9e05eaa66acbbef8c23

SHA1
e0fcbddc4c3cf0d58efc89eddc526551842dbbed

SHA256
8edaf231586aae1aad2e63a6ad82b0d6c3ecb6c555f9fd65df74ed1a311ee6a5

SHA512
9a18b8c3614c09bbf93d282e8cc4937efd8e5905dced2bfc604fa82197b73e586f2a553fda9500e53780714efa7f6e69030b7d88ff1fa9da8823babc519e4c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME33C.exe

Filesize
14KB

MD5
3af5a6d4478b31cbd895707318b9adec

SHA1
99e9097ac97327d74df1ac6409aa52ae8d5abf84

SHA256
2c350cb85da9d0848e962421c6a4a89928999097b0ca5b737142b9d5c1db7a00

SHA512
a40dde2287cc05ef2a344f3cfd1a234ba82c985d42fdbe1c27a2f5d38df24abc6954b6fdaf780566b8a8c5748c076bb3ad2b9484ae7fac78fac9dde17ea4034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME375.exe

Filesize
14KB

MD5
51ed9eb036afb3db11e8cc9b9304490b

SHA1
ea8e7d9393115a1d3b181a298f40d2b9fe41c48d

SHA256
efc27734e2b59ab2b8da00439b6460d123444fdde9f3b4201eb6e89a1626f15f

SHA512
a95fe458542e91a7c7cb757354c387bf1812ddd9fc1865fd1b8625d42df1976afd2b12d9fc736dfb3ffbc43548700a8c4402d78a497413e98dacdd6284711ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME375.exe

Filesize
1KB

MD5
f0ff073c2502dabf075ebdacc43c704d

SHA1
dcc0c4b88aa645fb0c89b0925a00e3075de46430

SHA256
49f8e1976564513a2690210d8aab92536a5d98ca9f836884d5a7884b0e25aa3f

SHA512
5da9efc1922791d4baaac996e2428884c8957d1f6b17e65565d102537ac7d71b68f20bfe64eec91fe8e263ae83a41a4ba992d0d1345ec2fe78ca4b03944fd1f8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads