dc9cd5983d04fdf14d1dabf5e985fec3f8435aab9f931de002a6dfef868ed1a4

General

Target

2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
Size

15KB
MD5

1696ec40ef9324eba72d5480547b4de2
SHA1

f257b172e0443a04d0e4425a47e7f1b83218f0f5
SHA256

2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b
SHA512

a63b5d6795c8670f1a8bc09188151bec9c3ebe8f770ef082db01530f0eba97821c1b20a832971cabbe39aa39028892f6c6df8c5b0de0131704dedc89b45a7881
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPt:hDXWipuE+K3/SSHgxmkV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2836	DEMEF8D.exe
2496	DEM454A.exe
1064	DEM9A9A.exe
1812	DEMF113.exe
3016	DEM46B1.exe
2008	DEM9C01.exe

Loads dropped DLL 6 IoCs

pid	Process
1400	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
2836	DEMEF8D.exe
2496	DEM454A.exe
1064	DEM9A9A.exe
1812	DEMF113.exe
3016	DEM46B1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM454A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9A9A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM46B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEF8D.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2836	1400	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	30
PID 1400 wrote to memory of 2836	1400	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	30
PID 1400 wrote to memory of 2836	1400	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	30
PID 1400 wrote to memory of 2836	1400	2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe	30
PID 2836 wrote to memory of 2496	2836	DEMEF8D.exe	32
PID 2836 wrote to memory of 2496	2836	DEMEF8D.exe	32
PID 2836 wrote to memory of 2496	2836	DEMEF8D.exe	32
PID 2836 wrote to memory of 2496	2836	DEMEF8D.exe	32
PID 2496 wrote to memory of 1064	2496	DEM454A.exe	34
PID 2496 wrote to memory of 1064	2496	DEM454A.exe	34
PID 2496 wrote to memory of 1064	2496	DEM454A.exe	34
PID 2496 wrote to memory of 1064	2496	DEM454A.exe	34
PID 1064 wrote to memory of 1812	1064	DEM9A9A.exe	36
PID 1064 wrote to memory of 1812	1064	DEM9A9A.exe	36
PID 1064 wrote to memory of 1812	1064	DEM9A9A.exe	36
PID 1064 wrote to memory of 1812	1064	DEM9A9A.exe	36
PID 1812 wrote to memory of 3016	1812	DEMF113.exe	38
PID 1812 wrote to memory of 3016	1812	DEMF113.exe	38
PID 1812 wrote to memory of 3016	1812	DEMF113.exe	38
PID 1812 wrote to memory of 3016	1812	DEMF113.exe	38
PID 3016 wrote to memory of 2008	3016	DEM46B1.exe	40
PID 3016 wrote to memory of 2008	3016	DEM46B1.exe	40
PID 3016 wrote to memory of 2008	3016	DEM46B1.exe	40
PID 3016 wrote to memory of 2008	3016	DEM46B1.exe	40

C:\Users\Admin\AppData\Local\Temp\2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe
"C:\Users\Admin\AppData\Local\Temp\2941d8615a0e3f1acc46e3a100374df65173ae47da3530540f33e33a0986ac4b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\DEMEF8D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEF8D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\DEM454A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM454A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\DEM9A9A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9A9A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Users\Admin\AppData\Local\Temp\DEMF113.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF113.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\DEM46B1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM46B1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\DEM9C01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C01.exe"
        7⤵
        Executes dropped EXE
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM454A.exe

Filesize
15KB

MD5
e16f77e6a93595bc2012e818fef650e5

SHA1
59c1af5901d3b948d488f657043c45a08d996102

SHA256
aa646e43cc679160fb26fa3415ea4d96a4773e5b21feaeb866dae1cbe7be0072

SHA512
f65d64b1860626fdc6bff65963d3a7741fdbe62e74cf4cd3fd5762e22b190b1936f727ba7e30138c914cab0f099a20a13a7748b3aecbd359c43afe29b9ccffb4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM46B1.exe

Filesize
15KB

MD5
4b23b26266154f99352dbadcaa87714e

SHA1
0aa5b6c73bea1c68bc19abf3a7cda63fa0adb66a

SHA256
86a1e885920b8c41a7e6b7978a679b71efb84af314f89446d17df225cf617c33

SHA512
efa50642fe3f54d98dbc112ad8225268fff631fd429936a518e3a13fabd3918b001d74681e9799278aec8aafa6a32c8500fa72864d0382200dfa62c7f83c998d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9A9A.exe

Filesize
15KB

MD5
1e3173e27f33aa4fcd2fceaa8b141d3b

SHA1
120a1b3552865fda9b858b4be557d839b569712f

SHA256
82407c26142cd84a400c4534177c926330da42d3ce099e35e8d5450f51b0802c

SHA512
18d0c6c664de8b1905e706d66c396b2bcca24e3c486a6e2177c144883012f509c9aab854acdfebfaad72e3d4be0abff6fff29e5284d9338032ed6a3a0fe2585a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C01.exe

Filesize
15KB

MD5
f335481cc1bdb3d8b0b8a22ea3ddd39a

SHA1
523a8722791c4eb3a23b073aafd4285b6d0df4f6

SHA256
5421e3bd13c9c296b2300a8557c09fff16840eae0c21fb7680bba1a93e36525e

SHA512
6f3aa268b2418e807091dcc6add9d875fd23e33bc6dad5093ac4b0e6098a5db5fcadfb014512c39ed46c7ec6596a4240c508fec0bbe6dbb348f3a47450a7deec

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEF8D.exe

Filesize
15KB

MD5
97b11661778c3b76250f2c659fcffb5d

SHA1
fc8d9be78c0f7a741fd211f4bb7dc45c25fb25ed

SHA256
0b780eddf915c6d81c419e3e15b604639c1fa83574067850dc7904e96656c6be

SHA512
f8370155cbf5326ed70338cb710b589e1685156f4f0874b12c1bb7ce816a3c0fcda676bdf6069363e1a5772ec3801b6ee64624edeb0d5e605900f523dac8cbf0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF113.exe

Filesize
15KB

MD5
8a0b5dd8fc0ac9f6ffe578044fcf9bfc

SHA1
481f7f267cacd20ac336f398d97da417bb9f45b0

SHA256
c305046f40133e5a0e748109f3ae4a3fa150bdd1225938379309a2e18b603a79

SHA512
f1ee3e36a9d0d83ea15aff1785422d5f51e596cc68442f68c478a20a640a6273a678dbdd5bca6450cd5943bb9d75b8f4a4dc540666a4d5d8c6658744899881d8

Download Submit

Analysis

Sharing