8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421

General

Target

8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
Size

20KB
MD5

39dcd3c52fe53af48b3133c9286a3275
SHA1

586d1efe24f1274b12a45768459b0f77e46b3360
SHA256

8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421
SHA512

ea8272b408a413d279b0f833ed3ddbcfe3234e63d810a832636bd2d14245eb50dfca0372e66b07137c6717f9dc314e904b3edb0290c2c62802b2adff6efd289f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4O:hDXWipuE+K3/SSHgxmHZO

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM99A0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEMF194.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM484F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DEM9ECB.exe

Executes dropped EXE 5 IoCs

pid	Process
4192	DEM99A0.exe
3364	DEMF194.exe
1540	DEM484F.exe
1336	DEM9ECB.exe
3060	DEMF661.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF194.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM484F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9ECB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF661.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM99A0.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4192	4272	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	98
PID 4272 wrote to memory of 4192	4272	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	98
PID 4272 wrote to memory of 4192	4272	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	98
PID 4192 wrote to memory of 3364	4192	DEM99A0.exe	103
PID 4192 wrote to memory of 3364	4192	DEM99A0.exe	103
PID 4192 wrote to memory of 3364	4192	DEM99A0.exe	103
PID 3364 wrote to memory of 1540	3364	DEMF194.exe	106
PID 3364 wrote to memory of 1540	3364	DEMF194.exe	106
PID 3364 wrote to memory of 1540	3364	DEMF194.exe	106
PID 1540 wrote to memory of 1336	1540	DEM484F.exe	108
PID 1540 wrote to memory of 1336	1540	DEM484F.exe	108
PID 1540 wrote to memory of 1336	1540	DEM484F.exe	108
PID 1336 wrote to memory of 3060	1336	DEM9ECB.exe	110
PID 1336 wrote to memory of 3060	1336	DEM9ECB.exe	110
PID 1336 wrote to memory of 3060	1336	DEM9ECB.exe	110

C:\Users\Admin\AppData\Local\Temp\8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
"C:\Users\Admin\AppData\Local\Temp\8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\DEM99A0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM99A0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\DEMF194.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF194.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\DEM484F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM484F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Users\Admin\AppData\Local\Temp\DEMF661.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF661.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM484F.exe

Filesize
20KB

MD5
3fd9510c2826329b1aeb75221516de95

SHA1
c673347c9e80069a63ef6baa7e07a3406ec1f565

SHA256
05ac2f591237d5e8e2fa593b74f349c0ef984c716211c15157aa020b4840fa9c

SHA512
d963c553b51db9565013494bc651cedd21a18206bc9df3f43dbec480a389df52e2149f9bb39fe4feb4d8cad3f607f2fc30b43da080e526338deec9aa3ece5218

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM99A0.exe

Filesize
20KB

MD5
8ae8c62a1de867d5d4ac4673a069cbf9

SHA1
cb6b1021045c634a58dac99bf4a518891138b550

SHA256
fa10bacae335de61393cf326f53c50913fe2024eff59bc94e976eb831d758013

SHA512
d1ffb254499c79486f78a7dfdae667e4d615015bd63547bdfaf361bdc036611bdcd2dd286a4ab2fe0107fa92baeb8a2692b5875c447e9bdacf5aa7d43c7eb974

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9ECB.exe

Filesize
20KB

MD5
2fd9e3915b272deea05abe5bdbdeb938

SHA1
fe29a18ff3977fb3a332e065b0195f8014f395be

SHA256
35ecf4260e4e5d2248b26bdb22591ec4dbb97d0f458e4335e75bc2002927da3e

SHA512
082ecad513514a3384eb43bb642bef4dc5b747be9505e07df9745a827d3f55c2290883b68934006a66ca9f39dbc2231ac03c62de998e1800a5b807891fc70872

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF194.exe

Filesize
20KB

MD5
20f1539ece47577d625db5e4b52936ec

SHA1
229026c8750f79069a85f3e3e822a50ba9d17de4

SHA256
14e104d65d60259c878aa2abfccaa0e520c4ffdf4292e463dc219a511a676e3d

SHA512
7e0d4b813dc27bc5c1e51b7ed2a1c47fa9c89842ec1019d79f08b2040f58ac9d92a9b969275e35ca97b8634e9a5e27efa8c7491d44a891568993d9b216cd5e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF661.exe

Filesize
20KB

MD5
07bfd120259821a85e7ad985dace1c91

SHA1
5f76dcb18cafb09902389305c72e5ef512101824

SHA256
d704a8837f89e27049827d5b7e6ff04b0be6b795706f338d1f844a0ac37cb8b4

SHA512
d97053621ec245f413e3a22ed8bcd5e488323864af114ff8ad5ae36e1b76763bc5acd1b38495d808091762780ed18c2c61ee6a4d7fddfc95a6eacdc4404535a0

Download Submit

Analysis

Sharing