2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293

General

Target

2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe
Size

16KB
MD5

cbd1491c246ad858367a0fbb24d925d3
SHA1

40e9c06b114a2df0d914d637a601ef8ea84fced0
SHA256

2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293
SHA512

a0a5a5bfb25477c8f8c0d2a91709a4eb971f4cec30dba21ee0cefe48a33839e68d8abd10daeffca1876718107bcb00bdf1494d7b20751d7b488468f1ee7563be
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYly4p:hDXWipuE+K3/SSHgxmly4p

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM8364.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM7F32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEMD67A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DEM2CD7.exe

Executes dropped EXE 5 IoCs

pid	Process
4972	DEM7F32.exe
1084	DEMD67A.exe
1340	DEM2CD7.exe
3956	DEM8364.exe
3668	DEMD9A2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7F32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD67A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2CD7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD9A2.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4972	3352	2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe	90
PID 3352 wrote to memory of 4972	3352	2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe	90
PID 3352 wrote to memory of 4972	3352	2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe	90
PID 4972 wrote to memory of 1084	4972	DEM7F32.exe	94
PID 4972 wrote to memory of 1084	4972	DEM7F32.exe	94
PID 4972 wrote to memory of 1084	4972	DEM7F32.exe	94
PID 1084 wrote to memory of 1340	1084	DEMD67A.exe	96
PID 1084 wrote to memory of 1340	1084	DEMD67A.exe	96
PID 1084 wrote to memory of 1340	1084	DEMD67A.exe	96
PID 1340 wrote to memory of 3956	1340	DEM2CD7.exe	98
PID 1340 wrote to memory of 3956	1340	DEM2CD7.exe	98
PID 1340 wrote to memory of 3956	1340	DEM2CD7.exe	98
PID 3956 wrote to memory of 3668	3956	DEM8364.exe	100
PID 3956 wrote to memory of 3668	3956	DEM8364.exe	100
PID 3956 wrote to memory of 3668	3956	DEM8364.exe	100

C:\Users\Admin\AppData\Local\Temp\2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe
"C:\Users\Admin\AppData\Local\Temp\2db64f4ec3b0cd4eeeaa320d7eab54858f6df39faf160970d541e93426370293.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\DEM7F32.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7F32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\DEMD67A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD67A.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\DEM2CD7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2CD7.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\DEM8364.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8364.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3956
      - C:\Users\Admin\AppData\Local\Temp\DEMD9A2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD9A2.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2CD7.exe

Filesize
16KB

MD5
c676084a5b6545d1d5cd77efff2e8730

SHA1
68aed325589d7ba324d37be182d57c479257e515

SHA256
b0c8b25344ea5023b2adb0047124ace6b742bd021c29bd282d63861b23b09a43

SHA512
1178cd174bb55912b5c33918e6c25450bee24bf115b17618f099279b807a136f2012ef2ae4141124109948d0f65772eb0ddccb235b7c969a78a4f5fe833d9456

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7F32.exe

Filesize
16KB

MD5
faec8ab21d6782ecd74cdaf28c2b99de

SHA1
ab77a5b0e3436a2096a7ec0da3b89915fd5f6301

SHA256
8245e03af165fa550d6ef1c682679b915b5efec44d1d2dc188f99e83848e3f76

SHA512
7513f684ca3137a18ee8942b2b9562bfda57cfc71033fde617cca34fb87d7f46d409704e54ca5876289185b289537cf330e4e2726f2c2d96ab67cdf6710bebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8364.exe

Filesize
16KB

MD5
8229bdb0b9f3c6f94e5584ffa0b2c2a9

SHA1
7420763b052b33bc2625fb60e8f80d96803e5f19

SHA256
71a2d1f8c3595e26d88b77ace8429c69e7c1f7aee13bb256d0d4e9de1ffbd877

SHA512
34b84c1e5f1be1322f149f258ff0e8613818e3b0608dd54822c82ab53cac43a9d3e015a4a436943484ec850f29775be3784e06e7f8ff92850916bb55d64b50ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD67A.exe

Filesize
16KB

MD5
b0f7d9d4ef05b14cd46f5b96ace2ef4d

SHA1
bc27132d2c4185de3dc6c1531a83fbefe4e18af9

SHA256
3fe89c03f714e6d21eea55517f3b5c48b006b76a48d28c51fb550eb0a58123c7

SHA512
f8064ce53760b87c5986cc38c58b69a8e57c80fc8c8ffd66623bc6873cc68eb40616888f36676ea9c93a36069a1f120cc204cb8adc2784db154656294c3f4e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD9A2.exe

Filesize
16KB

MD5
55d627f4ccd147d9973a7c863ddf7dc7

SHA1
bfa7b407388e676cfc3f83e0d97b5cebb07c4213

SHA256
a9f15f6b574236d40ef88833017b9b125271525326af5720355d1cdeef7dfdb8

SHA512
93dfc045fcd603b1dea651870fe3efa4e0a7988451337ecbc19114ae0fbaa7c43e92f6adc450efde9862d7a1b3bdeda592878479efc2be6c46b083cd71799776

Download Submit

Analysis

Sharing