ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe

General

Target

ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
Size

15KB
MD5

753ca55de628252f684c132f47a61835
SHA1

6f2a850a689fe4ff6f805b6c201f167866ec09c3
SHA256

ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe
SHA512

e90790c24aa03ff24ca9bc56e67bdc96a833eb3478acf9fb109f65431121b071323164dee6a98684d451674dbc02b7720bf9b22cf374d9ca4b6a092bc2bd5510
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pjW2UWXq:hDXWipuE+K3/SSHgx49WdWXq

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEM9ED0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEMF685.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEM4D8E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DEMA41B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe

Executes dropped EXE 5 IoCs

pid	Process
1180	DEM9ED0.exe
1936	DEMF685.exe
4472	DEM4D8E.exe
3904	DEMA41B.exe
540	DEMFA49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFA49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9ED0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF685.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4D8E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA41B.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1180	3880	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	97
PID 3880 wrote to memory of 1180	3880	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	97
PID 3880 wrote to memory of 1180	3880	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	97
PID 1180 wrote to memory of 1936	1180	DEM9ED0.exe	102
PID 1180 wrote to memory of 1936	1180	DEM9ED0.exe	102
PID 1180 wrote to memory of 1936	1180	DEM9ED0.exe	102
PID 1936 wrote to memory of 4472	1936	DEMF685.exe	104
PID 1936 wrote to memory of 4472	1936	DEMF685.exe	104
PID 1936 wrote to memory of 4472	1936	DEMF685.exe	104
PID 4472 wrote to memory of 3904	4472	DEM4D8E.exe	106
PID 4472 wrote to memory of 3904	4472	DEM4D8E.exe	106
PID 4472 wrote to memory of 3904	4472	DEM4D8E.exe	106
PID 3904 wrote to memory of 540	3904	DEMA41B.exe	108
PID 3904 wrote to memory of 540	3904	DEMA41B.exe	108
PID 3904 wrote to memory of 540	3904	DEMA41B.exe	108

C:\Users\Admin\AppData\Local\Temp\ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
"C:\Users\Admin\AppData\Local\Temp\ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\DEM9ED0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9ED0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\DEMF685.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF685.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\DEM4D8E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4D8E.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\DEMA41B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA41B.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\DEMFA49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFA49.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4D8E.exe

Filesize
15KB

MD5
e2e7087d746c27fb6eea1aa2b41b1023

SHA1
3d6b1b2207b878f1d311200b6bdf9c47e0b4e4b2

SHA256
34752aea1ac852b0f5169bf3ebaca2a66cdf37d8784c0283c8c139161e4f76ad

SHA512
cef8e843b64efa97b3f2abab669cacf5f3ba381505bc7c030370dd13faa3f138989025193b2856a28be15074538c914aaca03ef8830d64ae8009a0cc54f926b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9ED0.exe

Filesize
15KB

MD5
87c2d3b454ab42c2bb15c5f972337bbe

SHA1
a14f05da573e4c6e9a69416ef9e7d527f205487f

SHA256
89154e93e3bdc50a3b9b05afaf0aaaf4911bbe1c81e47c3d361b7fc09e457fe4

SHA512
54c137b9a80abf944916822eb8702cf2eafe77e229b8a846e6a6486a8a20009580e03a593fba2a80eae9ac707405c3007785774a37a724c09b4f814ed4ea3dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA41B.exe

Filesize
15KB

MD5
9a6be96cbd52c9d6ef1c3cc38dd807b9

SHA1
226c59aaad624d887a7b4373ce9d5c823b489941

SHA256
435c73971f74034b6660f376c1639f28cead5733fed49259289e12049ff86232

SHA512
f3c2582f1d4c2d51d2b1136fffc29644cf4792b76b9770b224f5bd1a997e2d3964ddbf25d9d6dab5b6170d9cb8be3392f6a73b31fa1003560d1983a0caee9165

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF685.exe

Filesize
15KB

MD5
5986761b916b67def8606ffa4a89545e

SHA1
87e047ff79fafb251898d0311e91befe5ecd81c2

SHA256
7e3c0276474a3684ed8682acabe362de0fa1fc1f1f1703002427f55a29f7a097

SHA512
e42c41c7cc96b2c7a4f20cb6932fee59126b29b433edc39c929773502e5d43a03347133c1d93c9ad772aaadbff53a475e11fcfa95a4e59e3e1880e3f67133b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFA49.exe

Filesize
15KB

MD5
e9f8c0453888a3960110ae05aeba36f0

SHA1
94c395a6841e8e11708bd882edc93190f7a67b22

SHA256
d47edf5f3a16df96751be5638e3995e1db68611fa95acd4ffbc87e494528bea8

SHA512
1f206b2e80bb0754d1be30945fe019b0be9b3185d0731a92db329e2657065d042394ceceb0033deeba0efc85aaaab7e289e83e1cedd2a896cbf5d029e03fc5ee

Download Submit

Analysis

Sharing