3f0763f3304cd6dd175893a2146e78e3d224b29c627d2a476a044f715d2a84fa

General

Target

0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
Size

16KB
MD5

6e1d294a95c002ff59d6f2af282f108c
SHA1

7f5ac39b0b6f6ef1689e20940c94a3e33a39e8df
SHA256

0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf
SHA512

091b2dc8c1f7412420423b54010b92ba3af8c10050c7fda351f3c1499703739b4a676f3ce71e9868d648a7556753933dd502a02acb1fcfbe47e991323918e335
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhn:hDXWipuE+K3/SSHgxl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2104	DEM821B.exe
2956	DEMD7AA.exe
1600	DEM2D67.exe
3004	DEM8298.exe
2484	DEMD807.exe
2316	DEM2D76.exe

Loads dropped DLL 6 IoCs

pid	Process
2108	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
2104	DEM821B.exe
2956	DEMD7AA.exe
1600	DEM2D67.exe
3004	DEM8298.exe
2484	DEMD807.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD7AA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2D67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8298.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD807.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM821B.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2104	2108	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	31
PID 2108 wrote to memory of 2104	2108	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	31
PID 2108 wrote to memory of 2104	2108	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	31
PID 2108 wrote to memory of 2104	2108	0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe	31
PID 2104 wrote to memory of 2956	2104	DEM821B.exe	33
PID 2104 wrote to memory of 2956	2104	DEM821B.exe	33
PID 2104 wrote to memory of 2956	2104	DEM821B.exe	33
PID 2104 wrote to memory of 2956	2104	DEM821B.exe	33
PID 2956 wrote to memory of 1600	2956	DEMD7AA.exe	35
PID 2956 wrote to memory of 1600	2956	DEMD7AA.exe	35
PID 2956 wrote to memory of 1600	2956	DEMD7AA.exe	35
PID 2956 wrote to memory of 1600	2956	DEMD7AA.exe	35
PID 1600 wrote to memory of 3004	1600	DEM2D67.exe	37
PID 1600 wrote to memory of 3004	1600	DEM2D67.exe	37
PID 1600 wrote to memory of 3004	1600	DEM2D67.exe	37
PID 1600 wrote to memory of 3004	1600	DEM2D67.exe	37
PID 3004 wrote to memory of 2484	3004	DEM8298.exe	39
PID 3004 wrote to memory of 2484	3004	DEM8298.exe	39
PID 3004 wrote to memory of 2484	3004	DEM8298.exe	39
PID 3004 wrote to memory of 2484	3004	DEM8298.exe	39
PID 2484 wrote to memory of 2316	2484	DEMD807.exe	41
PID 2484 wrote to memory of 2316	2484	DEMD807.exe	41
PID 2484 wrote to memory of 2316	2484	DEMD807.exe	41
PID 2484 wrote to memory of 2316	2484	DEMD807.exe	41

C:\Users\Admin\AppData\Local\Temp\0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe
"C:\Users\Admin\AppData\Local\Temp\0af19b9afdd5648503cf87dc6ab82e04763ce79ec81e3199dd63165c6094d3cf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\DEM821B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM821B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\DEMD7AA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD7AA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\DEM2D67.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2D67.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\DEM8298.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8298.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\DEMD807.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD807.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\DEM2D76.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2D76.exe"
        7⤵
        Executes dropped EXE
        
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMD7AA.exe

Filesize
16KB

MD5
daebecbfad9fd93c8feef4da6579330c

SHA1
e78aa4322ac8bdf5c8bcaeb40dad478b5dbb89fe

SHA256
9deaba8d8cc4196fa2966220226ce204c0f6e01f24bfc5e6b2f1319d5300b5ba

SHA512
3444e63f63c7fe396a9ff96cb4ddaf7ee837bb6e3e2c0c468c373751c685c785db134d4c31137fa9beb522aae6e053fa96e60ff049e48ae574540cf0ebd2f553

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2D67.exe

Filesize
16KB

MD5
cef8ca0f8efc67e1ccce3af2e7faa540

SHA1
881bf3ba98f97d7b009884a969f1bde333965f38

SHA256
7f512ae6707d1ff625c2218af3495f952c1be48096739ebeec53352bd9871ba8

SHA512
acf362f8b74054986d92fa09ca550e8cb92a9211a77a99d7945441b19602d8d758738a377af677f67b1bd8fe840f29f5c5ae9b497206cce4050fd6ed0ff4d4e8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2D76.exe

Filesize
16KB

MD5
d6439f2f8b593829a3e16228965299a7

SHA1
9651926ad2e02d671ba0d3b9721397eb92c6b5bc

SHA256
b68625951392e5f241fc3a4e2711a99506371ff215adffdf30abfb1e165b0256

SHA512
c2a136915a2ad021270109af258afeb67a61136750fdc5fb7be023a27c8e6849e89b5d77779c521db84fa7b240c2b6556bc2fb64fda61d98bcf037cf5cceae91

Download Submit
\Users\Admin\AppData\Local\Temp\DEM821B.exe

Filesize
16KB

MD5
c9c072ee4fa138f64543633e9623a66c

SHA1
b58b37f0b873639d9b31e14878ab35d15727b892

SHA256
b90830d937c5f10d24a84b1ad22c6d94c0a87c2a410bb7220535f056c0af1999

SHA512
7d7cb0640d76dd40f785c0e8458634b7915c5c8df4121b4205dbea7e3372b4ace296610d83a766f3ea08a2c6807a70b8ecaadfa300ea5b3976941a6422288352

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8298.exe

Filesize
16KB

MD5
9c931eed0430ace26844303acd74ec25

SHA1
9b75cf0ffe4de06e51b591e39ee3957d49cd7bfc

SHA256
88ff38171ac02fc2001fb587e20f9f40902e17d423a1dcf2028cfb1be7bd1c3a

SHA512
c1219f440795803e6752b29d4ead324bdbb78002c4298af872567f71f4147a5b85ff985ee723ad0bde53a8a0220c263c0924d6c0217b30e79205c787228c0783

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD807.exe

Filesize
16KB

MD5
482e12bdabf15cbec5c45dae480e12e7

SHA1
287e4865099f7339ff1b637302cc8596e09fddb5

SHA256
aea6cbb2a422ca3a90af1f1bb03252119bb8b3bc7fac7f434a71569763b36343

SHA512
ea3797259a76ecf240a5b5796cabfdfda505be77586fa19451342b77c1e0be0c2795ba373487f75845feb3c3f5c2e6d31a325593cd37081b70fd8fb4bf46a602

Download Submit

Analysis

Sharing