51cca6a5bd368390595b66b1b0a57bac076d474185e4e0a24048894a17f1f64d

General

Target

DIDMM.exe
Size

30.9MB
MD5

a1af7718de1fae3e579247679b6f8cdb
SHA1

20311443a180c420cd53f194d6d13111d73a2e95
SHA256

51cca6a5bd368390595b66b1b0a57bac076d474185e4e0a24048894a17f1f64d
SHA512

3ec9e560df82a49a940e0a8d1e5fd9b84e3d36e80ebd3e3ddc7471d28e9b82bf2598b8a5f430605b8d07b0946adb28f1b1c18e1c6979ee0643725de79815a855
SSDEEP

786432:6Ly38s1U2R6XCW97h7QTdwiVc72R+KU4WvHsWjKVame4T9iFo05EAmYTF4P0CMR:uy38s1+B97h7Qm+W5JCMR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2812	play_scream_sound_then_quit.exe
2176	@survival_extinguisher.exe
1652	background_music.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	DIDMM.exe
2384	DIDMM.exe
2384	DIDMM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DIDMM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	play_scream_sound_then_quit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@survival_extinguisher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	background_music.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	DIDMM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2384	DIDMM.exe
2812	play_scream_sound_then_quit.exe
2176	@survival_extinguisher.exe
1652	background_music.exe
2812	play_scream_sound_then_quit.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2384	DIDMM.exe
2812	play_scream_sound_then_quit.exe
2176	@survival_extinguisher.exe
1652	background_music.exe
2812	play_scream_sound_then_quit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2384	DIDMM.exe
2176	@survival_extinguisher.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2812	2384	DIDMM.exe	30
PID 2384 wrote to memory of 2812	2384	DIDMM.exe	30
PID 2384 wrote to memory of 2812	2384	DIDMM.exe	30
PID 2384 wrote to memory of 2812	2384	DIDMM.exe	30
PID 2384 wrote to memory of 2176	2384	DIDMM.exe	31
PID 2384 wrote to memory of 2176	2384	DIDMM.exe	31
PID 2384 wrote to memory of 2176	2384	DIDMM.exe	31
PID 2384 wrote to memory of 2176	2384	DIDMM.exe	31
PID 2384 wrote to memory of 1652	2384	DIDMM.exe	32
PID 2384 wrote to memory of 1652	2384	DIDMM.exe	32
PID 2384 wrote to memory of 1652	2384	DIDMM.exe	32
PID 2384 wrote to memory of 1652	2384	DIDMM.exe	32

C:\Users\Admin\AppData\Local\Temp\DIDMM.exe
"C:\Users\Admin\AppData\Local\Temp\DIDMM.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\scripts\play_scream_sound_then_quit.exe
  C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\scripts\play_scream_sound_then_quit.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\@survival_extinguisher.exe
  C:\Users\Admin\AppData\Local\Temp\@survival_extinguisher.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\scripts\background_music.exe
  C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\scripts\background_music.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\DIDMM_main.png

Filesize
1.3MB

MD5
d38d59320cfd7ac7b0eb695084fc8306

SHA1
c8c0fbfd116fea0693ef77ec8df10c029493649d

SHA256
8494b7a9cf9177679621d87b0cfdf1cfe77c6e738f5c5d49ac7254ac57b26d45

SHA512
81a4adf2ad583f37b624ecfa9f22115d9c63f4d49fd12f716c98ea5a6e54e6b732421dc09a4e813186a50f18d51f4f5a21f24eedfce782a4e84661bc1a4eb2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\sounds\DI_music.wav

Filesize
17.7MB

MD5
a5d50b70f67f049c8dbb44f9fddb5d0b

SHA1
9659a602fb7a8280c49263c35d7f06d4d8035bea

SHA256
985824da6524ef20278f15f1912e5efa74b912efcc00fa752dac762eb4abb58f

SHA512
3cc70063069c30dc84c41f306372b421132bba4254c797cc80672eaa0ae25d410339a5bb60b4c6c2e324d74ea8e96fa673ce890f2f5d6e2114ccc3bdf7bc8078

Download Submit
C:\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\sounds\scream_final.wav

Filesize
317KB

MD5
aa5c4a8e5d73b2cd4a0285654705d3f0

SHA1
4da82152d70ffbfc9650d4557d51b039ccc18bdf

SHA256
c9802ee9c138dae859e93f8510d9b3b4e0237d06772023a5c63545f23ff7c84e

SHA512
d009c361945712847c038087fda6c86aacc3b2891b622e8f49dbb526a8619ccf4c9dfb29f1a54ed17764f2cef92143bdc40bd1b51ac01d7ed2f66abc1f8831cd

Download Submit
\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\scripts\background_music.exe

Filesize
818KB

MD5
4c07bad60a4973d746bcbddc9028d523

SHA1
f280321736d4a63d555817b154bfb9ebeace2a27

SHA256
547017c170e71916b75e6115a9dd21b2589878408d0ab9c6218130450bc3ff8c

SHA512
dc932f637d88f1cbe39682235937cad5c2169997aeb7025c000549f23cd36ca5599ec989443a41da7afd2c4684f03f5ae0254650a66e10dde8ef6b508f85c40c

Download Submit
\Users\Admin\AppData\Local\Temp\@DIDMM_TEMPFILES\scripts\play_scream_sound_then_quit.exe

Filesize
818KB

MD5
63154c2d81e7d4c456df62297c67eea8

SHA1
cad803a48f38b4581bfa36ebcdc8ab5e29d65ee8

SHA256
a56284431cfb574e30f5ed05f082bd3c540e4308c107bb2a3861e277733dabbc

SHA512
882e6b4c076cf6221e921f467e34592116f4875af23e4de42fb3ad30b8f74c833fa522e95e1af9527144da209aa2240b7049df44355dec2ec3a908bdcaf26eca

Download Submit
\Users\Admin\AppData\Local\Temp\@survival_extinguisher.exe

Filesize
820KB

MD5
f6d5f30896c607a6f286b337390590e7

SHA1
f812a95375879aa9c467ab60bbc4a54c06f75dc1

SHA256
c35f28d46e71f071aeb9ba71e4848deec885f19c8380106000916af43940694e

SHA512
6a2886373a9d490594403d41d83d379067abfe3ae1efe13666088f3212729107eba47f5b10b995f23b7e6f0df64af3ca2e5539725dbe82249cf13aad9ea1b3d7

Download Submit

Analysis

Sharing