e7e8a720d61246617f207fc1d526cc02bdaee80a2edf8fa47725908650647289

General

Target

2493a1106394912af0c9d2ba70463030N.exe
Size

15KB
MD5

2493a1106394912af0c9d2ba70463030
SHA1

85557348b9c010959713d68f9415dd9988dcb9f5
SHA256

e7e8a720d61246617f207fc1d526cc02bdaee80a2edf8fa47725908650647289
SHA512

160309861c0faac008b3b149ac944e65a02f84862c475058252531054d609f384142179f5723e800d99e5336de40c9f4e8a29cb45bd01191097317ce198ff519
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlp:hDXWipuE+K3/SSHgxmlp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2324	DEMCB99.exe
2668	DEM20BA.exe
2532	DEM75DB.exe
1968	DEMCAED.exe
1640	DEM202E.exe

Loads dropped DLL 5 IoCs

pid	Process
1016	2493a1106394912af0c9d2ba70463030N.exe
2324	DEMCB99.exe
2668	DEM20BA.exe
2532	DEM75DB.exe
1968	DEMCAED.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2493a1106394912af0c9d2ba70463030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCB99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM20BA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM75DB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCAED.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2324	1016	2493a1106394912af0c9d2ba70463030N.exe	32
PID 1016 wrote to memory of 2324	1016	2493a1106394912af0c9d2ba70463030N.exe	32
PID 1016 wrote to memory of 2324	1016	2493a1106394912af0c9d2ba70463030N.exe	32
PID 1016 wrote to memory of 2324	1016	2493a1106394912af0c9d2ba70463030N.exe	32
PID 2324 wrote to memory of 2668	2324	DEMCB99.exe	34
PID 2324 wrote to memory of 2668	2324	DEMCB99.exe	34
PID 2324 wrote to memory of 2668	2324	DEMCB99.exe	34
PID 2324 wrote to memory of 2668	2324	DEMCB99.exe	34
PID 2668 wrote to memory of 2532	2668	DEM20BA.exe	36
PID 2668 wrote to memory of 2532	2668	DEM20BA.exe	36
PID 2668 wrote to memory of 2532	2668	DEM20BA.exe	36
PID 2668 wrote to memory of 2532	2668	DEM20BA.exe	36
PID 2532 wrote to memory of 1968	2532	DEM75DB.exe	38
PID 2532 wrote to memory of 1968	2532	DEM75DB.exe	38
PID 2532 wrote to memory of 1968	2532	DEM75DB.exe	38
PID 2532 wrote to memory of 1968	2532	DEM75DB.exe	38
PID 1968 wrote to memory of 1640	1968	DEMCAED.exe	40
PID 1968 wrote to memory of 1640	1968	DEMCAED.exe	40
PID 1968 wrote to memory of 1640	1968	DEMCAED.exe	40
PID 1968 wrote to memory of 1640	1968	DEMCAED.exe	40

C:\Users\Admin\AppData\Local\Temp\2493a1106394912af0c9d2ba70463030N.exe
"C:\Users\Admin\AppData\Local\Temp\2493a1106394912af0c9d2ba70463030N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\DEMCB99.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCB99.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\DEM20BA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM20BA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\DEM75DB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM75DB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\DEM202E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM202E.exe"
        6⤵
        Executes dropped EXE
        
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM20BA.exe

Filesize
15KB

MD5
004b9676e386115f545cfc0480c2b927

SHA1
7b3e0c4cac29d396e610189fb4c1a8c0dd6836b9

SHA256
50cf65a8c5c8b9ac9ffd55fe758f51b3888fa40f352df4a819aba26091c2dadf

SHA512
49074c3e60a4247b12769392792dace93e13afce87cee4f6d9dc040a5d761d5717bed5411fe5be8897576b6d8df3f57d504526ad953433d51f756ec8eab8456c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe

Filesize
15KB

MD5
6e405d0a52ca515346561d9c1364d27c

SHA1
0ab0f1ba33f7fd00fe7954bb90b6071270ca72c9

SHA256
fd08c1cf11bb36c6843c971ad77a75f5b484d77b52085df969e61161c3a854e3

SHA512
3940f82021dc17b4ffa57e8cb623e145a3eb7af39630ffc9ea83a63fa322a9fe8df5eef390ab3c7817552d82e149a6ca63b72eb5b0dd6dd229622581b1856ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB99.exe

Filesize
15KB

MD5
273ffa6ffabf716089adc0f52996e4f9

SHA1
ede78cb8a239c1c8c20f3c4ab45af4810193b403

SHA256
587db891926f3a1b1a6be3d7bcfbb3535159af527f047c73bf33dd223d922b5c

SHA512
a61a7eff57cc43a5683c2733d39076ca8119e7c3b97be9bb6d30c111d87d32010a4fe9063b0e45eb6610b7ea35dccbf9fddf17a94baa5ab95ceb376afc532288

Download Submit
\Users\Admin\AppData\Local\Temp\DEM202E.exe

Filesize
15KB

MD5
74c074e61a66106db458b495b3e25f9a

SHA1
6f23ffe6c765d59cb51da7654002c469298f4347

SHA256
47906378ee140ac9a13f34a8f6563e93840a2745f80dcb84c5e7912cc0d8147a

SHA512
0ec365a691c5d34b3f8e8fbf1257f5ad23747daf583bb6d17150461d479492be594dc68a457ceb36420d312b4322d435675164f5ee09e2ed84dd02204dd78ca9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM75DB.exe

Filesize
15KB

MD5
81868ad3d418763f418611a9b0cf7eca

SHA1
db3b81dc1a620951aa8f3774b09c7a5e0232588b

SHA256
58f5c1e55f731e72cd8cc1e8ef161049c5389a85ec09c5514bc117914310a9bc

SHA512
925e135af4fece0bb5f2d99d8c9dde8ee2bd000c5a26e6d159bfc234186a424701d459fad01ed1e016a47de62e0c3b7a541abfca8001c1b7f7188dbd3382ac30

Download Submit

Analysis

Sharing