1618a1e819248f7e6896d75846c8ca92b89dfe81d588fe757d3abd546908509f

General

Target

26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe
Size

16KB
MD5

58cdf2b25edc50a4ef4ef5a4be5d1125
SHA1

38aa3e3f91495a5196ff2742a3edba5ae3b3658a
SHA256

26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301
SHA512

931f208ea940e4ed343290f3ca71798c144705d7506aa4586a2d182dab178b1e540ea27a677b278afbbd1f7671408db2a1a1992bfcee3588285923dffab87125
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRz1:hDXWipuE+K3/SSHgx31

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1568	DEMC0FE.exe
2152	DEM164E.exe
2624	DEM6B8F.exe
1928	DEMC0FF.exe
1676	DEM16FA.exe
1900	DEM6C2B.exe

Loads dropped DLL 6 IoCs

pid	Process
1828	26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe
1568	DEMC0FE.exe
2152	DEM164E.exe
2624	DEM6B8F.exe
1928	DEMC0FF.exe
1676	DEM16FA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM164E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6B8F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC0FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM16FA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC0FE.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1568	1828	26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe	32
PID 1828 wrote to memory of 1568	1828	26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe	32
PID 1828 wrote to memory of 1568	1828	26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe	32
PID 1828 wrote to memory of 1568	1828	26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe	32
PID 1568 wrote to memory of 2152	1568	DEMC0FE.exe	34
PID 1568 wrote to memory of 2152	1568	DEMC0FE.exe	34
PID 1568 wrote to memory of 2152	1568	DEMC0FE.exe	34
PID 1568 wrote to memory of 2152	1568	DEMC0FE.exe	34
PID 2152 wrote to memory of 2624	2152	DEM164E.exe	36
PID 2152 wrote to memory of 2624	2152	DEM164E.exe	36
PID 2152 wrote to memory of 2624	2152	DEM164E.exe	36
PID 2152 wrote to memory of 2624	2152	DEM164E.exe	36
PID 2624 wrote to memory of 1928	2624	DEM6B8F.exe	38
PID 2624 wrote to memory of 1928	2624	DEM6B8F.exe	38
PID 2624 wrote to memory of 1928	2624	DEM6B8F.exe	38
PID 2624 wrote to memory of 1928	2624	DEM6B8F.exe	38
PID 1928 wrote to memory of 1676	1928	DEMC0FF.exe	40
PID 1928 wrote to memory of 1676	1928	DEMC0FF.exe	40
PID 1928 wrote to memory of 1676	1928	DEMC0FF.exe	40
PID 1928 wrote to memory of 1676	1928	DEMC0FF.exe	40
PID 1676 wrote to memory of 1900	1676	DEM16FA.exe	42
PID 1676 wrote to memory of 1900	1676	DEM16FA.exe	42
PID 1676 wrote to memory of 1900	1676	DEM16FA.exe	42
PID 1676 wrote to memory of 1900	1676	DEM16FA.exe	42

C:\Users\Admin\AppData\Local\Temp\26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe
"C:\Users\Admin\AppData\Local\Temp\26387c7bd59f00f00a72ce7e0102b76240bc6d7bebfc8d684b74389c2b89c301.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\DEMC0FE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC0FE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\DEM164E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM164E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\DEM6B8F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6B8F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\DEMC0FF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC0FF.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\DEM16FA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM16FA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\DEM6C2B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6C2B.exe"
        7⤵
        Executes dropped EXE
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM164E.exe

Filesize
16KB

MD5
81e60b824b5d4b2ec7422086b1032c5f

SHA1
0e195804dd00689c6f0077bffbd4114078cd3887

SHA256
e162424d088536599bc496e732700b8f839180f1b3925f7b3c54340599419c07

SHA512
aa8758f25b346fd34f83b14106a836bd67bb88f5288b87c5f3bb41eaf9c328836cdec7d0979d0b97312705f342c5a1ad7044a65d2470d352bdfae7eb4510c7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM16FA.exe

Filesize
16KB

MD5
f2b2b32a6858d6ce469f57a0951b641c

SHA1
1cbda7952f5c1e9b90ed8eb8e6403eb20241c32f

SHA256
d305db28a64dd1b550d3a2c40273f3f25aba015e14dd86c2aeaddd536b1f70af

SHA512
42157bd1fe1922466593e9a44cff4d8f8d58671979347de220520c756702d07f85bd17b79604959cc94be25997b6429963bd4e4dadb63673db90b6723804e12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6C2B.exe

Filesize
16KB

MD5
3abd202849bc1257c983384998737775

SHA1
2548eb9d79391bccb1662cf8fe4c625b864cd59b

SHA256
6a0e69e9c62484cfd7d81fa6d3c71bb9ba56d834e97fc66fc95306d3511aa02c

SHA512
c9b0a00bf89559391e3ce3924d5ef07e614095485059967894022860b4bb0463dd1d449bcd0e43b5e082dd7dd0db3392661887d2530e2093715ff713745bb271

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0FE.exe

Filesize
16KB

MD5
1f8827cd7c13c57adc86befcf32c8826

SHA1
2d80bbac58d8b3bd2d5d6c08e31a7ba56462d764

SHA256
c89faa985890a8600c60ba1b5966335dc94c2825c2dcc0cf6b7da08e36725026

SHA512
04b04e90716d4840fec49db26d5643e63352997d5714030cae844d2cd46a74b3cb05d77e77fe3c5b9ddb3c5500a1cbadd562dfa2cf372afe79c8106d18b3564a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6B8F.exe

Filesize
16KB

MD5
6facbca4b4716a84812db4d1bab6a2c8

SHA1
f92d75c40d8d410e3dd166ef18db80b796bd42e2

SHA256
e24327a1221d8fa861627d47861a3efc3f8d8cf34f02e30ca520b7632202f9aa

SHA512
ac40f49a726c110218fd5d7b6fbe19fddd131b942614d75a0242db386085583179e95bacc4864120a952c5e4af86d31d0ca5e79d59b501d4ea6743208c2c3308

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC0FF.exe

Filesize
16KB

MD5
8bb64478f018f1e5ab885b2df2e10337

SHA1
8b3a377db0ea74a309dd565fde3f0bf052fe5d64

SHA256
6ad97b9e46e183a8c7018cc7664637ef9420841c5aa44255b2aef00a1aaf81f4

SHA512
a139f2dc8f6fdfb68b62bcf2d52e7cc03c6453ec603f1e9c6002c171a208bcd7203d2909e323aeb873d7fcfbe2f34b2c95371e9eb4b2e7f7cb78ee2b7d3a0f38

Download Submit

Analysis

Sharing