af43f41b601c6f278b66515ae2b60c761a10bca231ea7372c77be72f4a90edf8

General

Target

1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
Size

15KB
MD5

81e80a483584cb9c82e050bacb63175b
SHA1

51566d797ca743d5f778fcd4a4db0508a0612cee
SHA256

1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf
SHA512

94fa15748244203a6ab92240ca45e4368e1b92e7b04ae01f3163f873fbe534420481f245e471a7674676139d3a5a7be0d96d3fdacd961d9b8b725a8609eb1436
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6QK:hDXWipuE+K3/SSHgxmyh6QK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2696	DEM1F24.exe
1940	DEM7465.exe
2968	DEMC9D4.exe
852	DEM1F44.exe
1344	DEM74A3.exe
2372	DEMCA22.exe

Loads dropped DLL 6 IoCs

pid	Process
2264	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
2696	DEM1F24.exe
1940	DEM7465.exe
2968	DEMC9D4.exe
852	DEM1F44.exe
1344	DEM74A3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7465.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC9D4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1F44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM74A3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1F24.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2696	2264	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	31
PID 2264 wrote to memory of 2696	2264	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	31
PID 2264 wrote to memory of 2696	2264	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	31
PID 2264 wrote to memory of 2696	2264	1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe	31
PID 2696 wrote to memory of 1940	2696	DEM1F24.exe	33
PID 2696 wrote to memory of 1940	2696	DEM1F24.exe	33
PID 2696 wrote to memory of 1940	2696	DEM1F24.exe	33
PID 2696 wrote to memory of 1940	2696	DEM1F24.exe	33
PID 1940 wrote to memory of 2968	1940	DEM7465.exe	35
PID 1940 wrote to memory of 2968	1940	DEM7465.exe	35
PID 1940 wrote to memory of 2968	1940	DEM7465.exe	35
PID 1940 wrote to memory of 2968	1940	DEM7465.exe	35
PID 2968 wrote to memory of 852	2968	DEMC9D4.exe	37
PID 2968 wrote to memory of 852	2968	DEMC9D4.exe	37
PID 2968 wrote to memory of 852	2968	DEMC9D4.exe	37
PID 2968 wrote to memory of 852	2968	DEMC9D4.exe	37
PID 852 wrote to memory of 1344	852	DEM1F44.exe	39
PID 852 wrote to memory of 1344	852	DEM1F44.exe	39
PID 852 wrote to memory of 1344	852	DEM1F44.exe	39
PID 852 wrote to memory of 1344	852	DEM1F44.exe	39
PID 1344 wrote to memory of 2372	1344	DEM74A3.exe	41
PID 1344 wrote to memory of 2372	1344	DEM74A3.exe	41
PID 1344 wrote to memory of 2372	1344	DEM74A3.exe	41
PID 1344 wrote to memory of 2372	1344	DEM74A3.exe	41

C:\Users\Admin\AppData\Local\Temp\1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe
"C:\Users\Admin\AppData\Local\Temp\1dc2b153ca88508fb2fa2c2899ea12e8e1c7d4f0f825b75d6128b45742bd41cf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\DEM1F24.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1F24.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\DEM7465.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7465.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\DEMC9D4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC9D4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\DEM1F44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1F44.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Users\Admin\AppData\Local\Temp\DEM74A3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74A3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\DEMCA22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCA22.exe"
        7⤵
        Executes dropped EXE
        
        PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1F44.exe

Filesize
15KB

MD5
c054b4cb1c3956d9469e7f7d76061682

SHA1
c2791c2c6cf01bb6106d6b156fb2f080c3905d09

SHA256
02fa2bd6c54c2d88244997b8797a847730cf123e00696cfbe87db467a54ab8f8

SHA512
30305e173119b3d70a5035f2a45911156bbf2307ca1723f6e263612703ed7d08f2485c08341469dadcc92fd9478a866f034e917b7ae34cf838890e9c8ec2f184

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7465.exe

Filesize
15KB

MD5
a5e3ecafaa501592297a8a342b860711

SHA1
6a851ec79ae6f600300c8a7ac32e8ac610eae44a

SHA256
402e3d93d2cea4cc01ff7abe488f2e066335667df63c227a5262fe11c1853885

SHA512
38977744f1faa5f7d86d67d584c39eee75ad557392be5c4ea70002a0292f41d3699cdbc687fabb8e21c6effa1240ab8752f3f989592e7a24fd0fbb7a9b91d944

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM74A3.exe

Filesize
15KB

MD5
db02f96a10df7db6814689aee41ef11b

SHA1
ad4884b6d7de30318de08a5ed20130186ebc7a2c

SHA256
4b40511613783eb6f4a66a26b46c988d8a21fb880b05029423bed1ef321551b0

SHA512
56b8ce85cb181476dbae03e73c68f2eb5eaff1757267095f1e4d20b988755b4897f21c6ff6f96087c1cf77532ca7bc538cc882d5debbf2b15d11a4effb3ef0a0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1F24.exe

Filesize
15KB

MD5
2d38693027cd7ac56c92e82900ab0f62

SHA1
72894e06b0ec3fae5644e1af2290623528282410

SHA256
38d6553add5dbb4be9decaa3789e7dd8a5cf39d9363c0194fa597dab9ae02437

SHA512
75e50a58b824e761ebe530cf3659673129da189c2a2221d2d423de01b8a6b7b1ee09e5fee3e2aba321e1bfad7c83f79b4897a9d3934e8c565af51e950020e4eb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC9D4.exe

Filesize
15KB

MD5
522b8102eda745f1315d9035606a5bd8

SHA1
d27a486988c951e9d6e3f1ee33ea32e2f60634a1

SHA256
aa244719052fd87f6b5add182bb3a977d9c14bdb0c383d693bffac7379821640

SHA512
1d17d659c92848be0eb461d0afc8ad97fc80c5060e9bf4f7c4fa80efb9fac8724ecc17b07cd9d55a1ebd69597775c78738b8fab082c958072978ebe5f78773a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCA22.exe

Filesize
15KB

MD5
0f2ad99d9b096ed415f820516eb677b6

SHA1
d107b2610763a1ef3389796fa54ea19871bc10a6

SHA256
23ff63bb24227ffe984d4eb5f040e22ab6e0da8a97d479f088cc9b45f71a6172

SHA512
1c448e2749757e67af339cc05b340683a3035fcd60fdb0fb4dc6ab10700adda3177da75c0391e5c5560285946b7babba668925ea66548e8e1de6ac27ddc71b09

Download Submit

Analysis

Sharing