d7419eca8f8c69a5f0f296e1cfaac8253b41708d52755161a0c739f8419213a8

General

Target

4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe
Size

16KB
MD5

b04928d3c9ac3abaf0ff7cbeb6be9399
SHA1

c3c85f5e37c370ea8b5d3cdfd6aea399b1a4fc0b
SHA256

4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649
SHA512

697c5df22d5f9b62e8f1423b489520bbe3dad534364dfd46f570480568a85f4f7c33d784c67a051b40024410a20ebdb17e00a3876ea09ba80cbb7386d5e86e08
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlR:hDXWipuE+K3/SSHgxmlR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2644	DEM6FB4.exe
2856	DEMC561.exe
1268	DEM1B6D.exe
2476	DEM70EC.exe
2948	DEMC60D.exe
336	DEM1B4E.exe

Loads dropped DLL 6 IoCs

pid	Process
2456	4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe
2644	DEM6FB4.exe
2856	DEMC561.exe
1268	DEM1B6D.exe
2476	DEM70EC.exe
2948	DEMC60D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC60D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6FB4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC561.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B6D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM70EC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2644	2456	4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe	31
PID 2456 wrote to memory of 2644	2456	4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe	31
PID 2456 wrote to memory of 2644	2456	4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe	31
PID 2456 wrote to memory of 2644	2456	4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe	31
PID 2644 wrote to memory of 2856	2644	DEM6FB4.exe	33
PID 2644 wrote to memory of 2856	2644	DEM6FB4.exe	33
PID 2644 wrote to memory of 2856	2644	DEM6FB4.exe	33
PID 2644 wrote to memory of 2856	2644	DEM6FB4.exe	33
PID 2856 wrote to memory of 1268	2856	DEMC561.exe	35
PID 2856 wrote to memory of 1268	2856	DEMC561.exe	35
PID 2856 wrote to memory of 1268	2856	DEMC561.exe	35
PID 2856 wrote to memory of 1268	2856	DEMC561.exe	35
PID 1268 wrote to memory of 2476	1268	DEM1B6D.exe	37
PID 1268 wrote to memory of 2476	1268	DEM1B6D.exe	37
PID 1268 wrote to memory of 2476	1268	DEM1B6D.exe	37
PID 1268 wrote to memory of 2476	1268	DEM1B6D.exe	37
PID 2476 wrote to memory of 2948	2476	DEM70EC.exe	39
PID 2476 wrote to memory of 2948	2476	DEM70EC.exe	39
PID 2476 wrote to memory of 2948	2476	DEM70EC.exe	39
PID 2476 wrote to memory of 2948	2476	DEM70EC.exe	39
PID 2948 wrote to memory of 336	2948	DEMC60D.exe	41
PID 2948 wrote to memory of 336	2948	DEMC60D.exe	41
PID 2948 wrote to memory of 336	2948	DEMC60D.exe	41
PID 2948 wrote to memory of 336	2948	DEMC60D.exe	41

C:\Users\Admin\AppData\Local\Temp\4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe
"C:\Users\Admin\AppData\Local\Temp\4e068dc4a32148b532e213e5ed0dfae83a6020d6554be4ff65b31d4b2b478649.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\DEM6FB4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6FB4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\DEMC561.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC561.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\DEM1B6D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1B6D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\DEM70EC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM70EC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\DEMC60D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC60D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\DEM1B4E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1B4E.exe"
        7⤵
        Executes dropped EXE
        
        PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B4E.exe

Filesize
16KB

MD5
5bb7382734f25a8212b429f5a7fdce18

SHA1
cb2d7dca2427e2e9be0b4a8d9bd0042b8c1e3c5f

SHA256
d6f06270876e929c823645e45bcbab4d92e27af2c7d8c8857ef17403e02f61e2

SHA512
2ba64b060f80ef6b0b26e6ba89de88b04c44bbd9d79ba378dec42299a4ec806034d00d060b9181eac900d4f0776f473710ccd0c39e6e013eaf5c4f7f844a0e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1B6D.exe

Filesize
16KB

MD5
6cb12be6ed067721cfb350dd1749fe9d

SHA1
1bef05cd073e387a59b3444f2e4e447595c5196f

SHA256
fb5f808125ff64e3581a0fb2eaa2f0b7b49123ba7249d9b78a29388ffdde4086

SHA512
f58b17e8da0d8649b7f0dee8b18c947b60af8ec89d02c317faf31622d5ade7059f267032aa8561a37ce2b1d50d93c54c1e09f4eb973bafe2415bd1ac6d3a57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC561.exe

Filesize
16KB

MD5
b1d926edbe0a89e297f851d3a42e88c6

SHA1
b9ef449ca2a5c3b7224fd04bb08bd5cbb97f94e9

SHA256
5797e018f05486322955f05c12ca22771076bb678c557d987d48528a31be21a6

SHA512
2afd3beb7ce247e860f6a2682b14f536fe0ea7e5e13045f509d3f02a18f92c7cc84d0dee0cd4e2a4c89b64fe0104dcd173ed2cc82096fed983e92b490fee0fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC60D.exe

Filesize
16KB

MD5
d6f3dc9e9ed609285134204bb2bbd863

SHA1
8bc58492298c9c4423f1572ebf04cd408e660713

SHA256
b06724985c49acbf82d04afad29d3f2e5d34ae9fffeaf4131717673d43339bf0

SHA512
cf4975246b5c4a01440f74873ffb02dbfd9de36e2e27734baf69cdadaad1128b76c886e18f2cbd3dec5349753797adf177533d0fc217788b814f51a9e2eb800b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6FB4.exe

Filesize
16KB

MD5
b62a311e2d0b5202aa955ebed468811e

SHA1
1e52ffd46d645123cd9a5a0e74b9d45577f0e1b1

SHA256
8a5019f15ceb49fc4bc87dc1cfc03965dcf72b01858ac80907df1aeb9d1bc399

SHA512
4439556466859ddb30983b8d9d982b201b742a63fb127198fccd4e83f3e25eebf52537fc8dad407ecb445461f2cdf712eddbe16d6465ab246ee16c31b3bd540f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM70EC.exe

Filesize
16KB

MD5
4bfdec1866c7ab63a73d577c0c8b997d

SHA1
7518c00ba2fc0f4b0e909fd278228e4ae3bd318a

SHA256
3a131131c7d6301831603e3ccaf890d351e57c56d05b5279859bcd5b465cba78

SHA512
44b6084dea4267a4d9ce5f0f7ec1c67bc17400b902e036f429eea390a2947602572ec7577608ba6db70ef1537d80ab59d9044df0228897c9f4c7ac262619e945

Download Submit

Analysis

Sharing