58c3cf89f91a4eb69b861b5db317830e15f640e9b3d7eadfb12fd3c48a901820

General

Target

b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe
Size

14KB
MD5

5423cc2f70cf3c502c9387442c6c5768
SHA1

7a73f73b178127dcdea2b377e927bb5bd8287cd2
SHA256

b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea
SHA512

8b427757a9d205f77f1f27f9b07e3de5d5651bab57275ac2ab44e8a3c56a61465a7da66dc0a38e73d7c2899c3e2536ed0bcd5b37ddf06dea94e992733b1decd2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYt:hDXWipuE+K3/SSHgxmt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2112	DEMCE95.exe
2888	DEM24DF.exe
2200	DEM7A7D.exe
2860	DEMD00B.exe
1032	DEM25E8.exe
2016	DEM7B48.exe

Loads dropped DLL 6 IoCs

pid	Process
1352	b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe
2112	DEMCE95.exe
2888	DEM24DF.exe
2200	DEM7A7D.exe
2860	DEMD00B.exe
1032	DEM25E8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM24DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7A7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD00B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM25E8.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2112	1352	b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe	32
PID 1352 wrote to memory of 2112	1352	b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe	32
PID 1352 wrote to memory of 2112	1352	b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe	32
PID 1352 wrote to memory of 2112	1352	b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe	32
PID 2112 wrote to memory of 2888	2112	DEMCE95.exe	34
PID 2112 wrote to memory of 2888	2112	DEMCE95.exe	34
PID 2112 wrote to memory of 2888	2112	DEMCE95.exe	34
PID 2112 wrote to memory of 2888	2112	DEMCE95.exe	34
PID 2888 wrote to memory of 2200	2888	DEM24DF.exe	36
PID 2888 wrote to memory of 2200	2888	DEM24DF.exe	36
PID 2888 wrote to memory of 2200	2888	DEM24DF.exe	36
PID 2888 wrote to memory of 2200	2888	DEM24DF.exe	36
PID 2200 wrote to memory of 2860	2200	DEM7A7D.exe	38
PID 2200 wrote to memory of 2860	2200	DEM7A7D.exe	38
PID 2200 wrote to memory of 2860	2200	DEM7A7D.exe	38
PID 2200 wrote to memory of 2860	2200	DEM7A7D.exe	38
PID 2860 wrote to memory of 1032	2860	DEMD00B.exe	40
PID 2860 wrote to memory of 1032	2860	DEMD00B.exe	40
PID 2860 wrote to memory of 1032	2860	DEMD00B.exe	40
PID 2860 wrote to memory of 1032	2860	DEMD00B.exe	40
PID 1032 wrote to memory of 2016	1032	DEM25E8.exe	42
PID 1032 wrote to memory of 2016	1032	DEM25E8.exe	42
PID 1032 wrote to memory of 2016	1032	DEM25E8.exe	42
PID 1032 wrote to memory of 2016	1032	DEM25E8.exe	42

C:\Users\Admin\AppData\Local\Temp\b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe
"C:\Users\Admin\AppData\Local\Temp\b7169a795e600f323e165407b0724290ed46cf86190c5f78a733d294a59edcea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\DEMCE95.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCE95.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\DEM7A7D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7A7D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\DEMD00B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD00B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\DEM25E8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM25E8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\DEM7B48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B48.exe"
        7⤵
        Executes dropped EXE
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24DF.exe

Filesize
14KB

MD5
0ef33f4bd0c440de3f02e1e2810c49a0

SHA1
c611f0067f2ace3e33089c76be3ec46e33b3eff8

SHA256
4f0badd203dbb2d20820b99444f1dc8dbcad1c96202306516acd5b18000ee496

SHA512
01359912a0492ff0fe63197cb85c3666d3798bc2c07b353a101de9c38b08721df35846fa132623c67cdb20ff67567ed1ee01ac19cd51d11de90c26030b6a3aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD00B.exe

Filesize
14KB

MD5
df8c791482022b4ea581e28667914a16

SHA1
466711bc3560c82251ad02aa822a9deed2d499fd

SHA256
23f7cf660c5797998301ad146c3ca7ae8007ba98c706ddf54913551b2bf9fa98

SHA512
762e4cad5c9d0fd2182b036fbe9cfdf0e4badd9554870f6705223b7ee265f2742da8b9a2fa2cd04ac54af83b80e4bb246b65a0dff787002097942d839860de84

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25E8.exe

Filesize
14KB

MD5
0ed35c72b9eff31422cc8dce0c60a885

SHA1
89c89fed2a33dc6573be613ed196116df6f4b2a9

SHA256
11eeaa5b3111bf2453abea982768bc178a25788f5a8e75a4544b39680a470f39

SHA512
81a5bd268f2a77377262c5c9538050a5190f30b45405ba0ee7665c0a5fd1759df07c147e16ee924f3111f7b658bf8dd5e697c6cb5e5a811e18cd262e038a3df4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7A7D.exe

Filesize
14KB

MD5
52e2dd8315b5862837b92be0d25e7c21

SHA1
ae5157a75e2d9ce6d2f45ac7c5733f89b0186d13

SHA256
9522d6d18aa15b54e636b5be0bae4929cc05b118c7f2b673e4ee4bb3b6cbcc72

SHA512
7170cab5bc99f29141ed20ae7d37ffb8c0379835cb5e1d2f1eabff5b27be3d78b9630d577f741cd8c9431ff989595d73fc31a2d81bfd0d053163bae72844bbda

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7B48.exe

Filesize
14KB

MD5
7ca8f090179d2a15a7d9109cf3fc7504

SHA1
82f89e384e729e3f7e2731bee60a54fef9c593f7

SHA256
1a7b40215ae2a141da2d1bded1e71b88124a05d69a53f1351b7c7a0fe597d02c

SHA512
110044e20423e4a38db18082252c6b361e4a5de55d9ba5549de9f39aa767cb4b4dca6a80b50778f3b491001b01a4d69679ebac06f90015771a769f375189b5da

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE95.exe

Filesize
14KB

MD5
bb11d887cb299ce9a172409252989069

SHA1
ec977f2e59735075380b13839c3e70df2259cf3c

SHA256
2c26ab4de82f00b816e0adf130fa99f4fb1b40b87b55cadeba6244ea04b097d7

SHA512
9f5dcec5546e750c91cc412dd1ce29b70f450dc7213ca1b86323b88214819caf9d0d866faa214fda208480861e4b91b2f9785beeb85d015ce18d2b7f1c53d52b

Download Submit

Analysis

Sharing