09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5

General

Target

09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe
Size

20KB
MD5

070c25bb63933e85a118c7c33fb96d4c
SHA1

3b5a3ae2368176f0a1a600b699b86adb7e5b96d9
SHA256

09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5
SHA512

a52715b9223f9c65fbb73a8b2edcd73ba68eedc42168db45d7da8ac9ae77cddea9cb7b8227168717a2d6442a20fcfde570dd6793c66dd5040fd6e5c82e5589a3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4l:hDXWipuE+K3/SSHgxmHZl

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEM623F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB8EB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB391.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DEMB75.exe

Executes dropped EXE 5 IoCs

pid	Process
1600	DEMB391.exe
2032	DEMB75.exe
2416	DEM623F.exe
4716	DEMB8EB.exe
2084	DEMF67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM623F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB8EB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1600	1564	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	97
PID 1564 wrote to memory of 1600	1564	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	97
PID 1564 wrote to memory of 1600	1564	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	97
PID 1600 wrote to memory of 2032	1600	DEMB391.exe	102
PID 1600 wrote to memory of 2032	1600	DEMB391.exe	102
PID 1600 wrote to memory of 2032	1600	DEMB391.exe	102
PID 2032 wrote to memory of 2416	2032	DEMB75.exe	104
PID 2032 wrote to memory of 2416	2032	DEMB75.exe	104
PID 2032 wrote to memory of 2416	2032	DEMB75.exe	104
PID 2416 wrote to memory of 4716	2416	DEM623F.exe	106
PID 2416 wrote to memory of 4716	2416	DEM623F.exe	106
PID 2416 wrote to memory of 4716	2416	DEM623F.exe	106
PID 4716 wrote to memory of 2084	4716	DEMB8EB.exe	108
PID 4716 wrote to memory of 2084	4716	DEMB8EB.exe	108
PID 4716 wrote to memory of 2084	4716	DEMB8EB.exe	108

C:\Users\Admin\AppData\Local\Temp\09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe
"C:\Users\Admin\AppData\Local\Temp\09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\DEMB391.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB391.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\DEMB75.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMB75.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\DEM623F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM623F.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\DEMB8EB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB8EB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\DEMF67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF67.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM623F.exe

Filesize
20KB

MD5
68d366d0cc4d29e523765eaf160b4d25

SHA1
01e9cc399e41da123ab9411ef436f59bc5506d38

SHA256
2ead29383f491e644914f3bd295b7f0bacf9f5f00da5679da453d1f681ef552d

SHA512
b862c5b5c7b5bde3897f73a797cb8c71f7abb4d1527dd79834ca8206036e866efb6dd6223bce749c2ff72235d7e5c69f33e17b470bcef629cad2fb08cf09cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB391.exe

Filesize
20KB

MD5
5da43eca527a53493c195b12483ef729

SHA1
e3cc6a9a611c3aa30e8e256fa30d952e4e3be11a

SHA256
b3c9b639d830e53ceaefd91d0cd7bb26c45100476d5e27b90f95d7fe2dcbbadd

SHA512
352baf97d94705a26ccc0d116081df76f1d00a9a7594fedc2ca65dbbf5821c30a72860277788fcb4314b08aa983f5a38308adf5b6daae3d04f450b00e5fd3863

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB75.exe

Filesize
20KB

MD5
f001f34c22256780a8c2e2d1899be0be

SHA1
93e703e88be6058d927a35e83eabecc956ea93ce

SHA256
7e794b0c67ac43f4990771970a64f35a4705612acab92d2c5ea0e794eb94355e

SHA512
50d697ab9eaecbf3fcab9f131d06957b5e2ed04a5f70ff4ca20dbc71a80943973626de181f674be1013cfd7133324b509f33c605c00ae24643d1c3265ecb7432

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB8EB.exe

Filesize
20KB

MD5
18f8b3869894961d27280425075a0d63

SHA1
c588878bada7507ea572e5330d187ecafa3a64be

SHA256
f61e668dd4cbb4d149e6e2cab6efb4011304e2125dc1062eea36e85c2fe99bb5

SHA512
9d726bb2deb456b5a8fbd3450de9a5860b8d6901a7db34284fdce6afdddbc59cbfb96ce200e1718a491e006f701eac819cd138d23cace0e9614ba98db93ef48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF67.exe

Filesize
20KB

MD5
8136a1e9d2b7f99c6d53a0c93a3a14fe

SHA1
80207856dbc468b2e329c47dd84df2c069017e97

SHA256
f09fde558e4eca2d7275f93c1f3baef027f2e43cd4e6680818c95a81c1688a45

SHA512
81d822caccffb0ef170a6aa812d42424b6a5e327efd66377a928679e958da6b2179aac57102802cf42c2c420978ccabde4c36fa713ec809452e3af2cc059c701

Download Submit

Analysis

Sharing