a1ca8fab1a43b44ac4dbf3012fb56cf6665d243c3bcd196b60c527fcad744d94

General

Target

4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe
Size

16KB
MD5

32da6285a5d78fea4aa28b8de1db00dd
SHA1

fbc8b7ae519e451c1f5974a5da15200af712d487
SHA256

4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7
SHA512

0eac4bd0b7ca4fc3f272491623c67423c6797ba39b4ce44e98a89d31383f86b96673e868234a8cfa6cab1f4095227f47929a27796dd0a65b3d0edfa59af74da4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fk:hDXWipuE+K3/SSHgxm0C

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2500	DEMB1C2.exe
2876	DEM6D4.exe
2620	DEM5C24.exe
2968	DEMB165.exe
1476	DEM6C4.exe
480	DEM5CA1.exe

Loads dropped DLL 6 IoCs

pid	Process
2552	4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe
2500	DEMB1C2.exe
2876	DEM6D4.exe
2620	DEM5C24.exe
2968	DEMB165.exe
1476	DEM6C4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5C24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB165.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6C4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB1C2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6D4.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2500	2552	4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe	32
PID 2552 wrote to memory of 2500	2552	4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe	32
PID 2552 wrote to memory of 2500	2552	4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe	32
PID 2552 wrote to memory of 2500	2552	4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe	32
PID 2500 wrote to memory of 2876	2500	DEMB1C2.exe	34
PID 2500 wrote to memory of 2876	2500	DEMB1C2.exe	34
PID 2500 wrote to memory of 2876	2500	DEMB1C2.exe	34
PID 2500 wrote to memory of 2876	2500	DEMB1C2.exe	34
PID 2876 wrote to memory of 2620	2876	DEM6D4.exe	36
PID 2876 wrote to memory of 2620	2876	DEM6D4.exe	36
PID 2876 wrote to memory of 2620	2876	DEM6D4.exe	36
PID 2876 wrote to memory of 2620	2876	DEM6D4.exe	36
PID 2620 wrote to memory of 2968	2620	DEM5C24.exe	38
PID 2620 wrote to memory of 2968	2620	DEM5C24.exe	38
PID 2620 wrote to memory of 2968	2620	DEM5C24.exe	38
PID 2620 wrote to memory of 2968	2620	DEM5C24.exe	38
PID 2968 wrote to memory of 1476	2968	DEMB165.exe	40
PID 2968 wrote to memory of 1476	2968	DEMB165.exe	40
PID 2968 wrote to memory of 1476	2968	DEMB165.exe	40
PID 2968 wrote to memory of 1476	2968	DEMB165.exe	40
PID 1476 wrote to memory of 480	1476	DEM6C4.exe	42
PID 1476 wrote to memory of 480	1476	DEM6C4.exe	42
PID 1476 wrote to memory of 480	1476	DEM6C4.exe	42
PID 1476 wrote to memory of 480	1476	DEM6C4.exe	42

C:\Users\Admin\AppData\Local\Temp\4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe
"C:\Users\Admin\AppData\Local\Temp\4100f0d74bab942a6a3d5347265de7c771a6293d5332113eed6d45298faea3c7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\DEMB1C2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB1C2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\DEM6D4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6D4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\DEMB165.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB165.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\DEM6C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6C4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\DEM5CA1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5CA1.exe"
        7⤵
        Executes dropped EXE
        
        PID:480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5C24.exe

Filesize
16KB

MD5
737b885ef2f14c242e45e4230c2db409

SHA1
0dad02adb93c514111c37350bdca590271161607

SHA256
d34ba6772ef7c75743105e13d13e587398a89df4b72f3ef06109200e7adf2327

SHA512
1705499142b113d28f281b360e37c17f04e907b805cbd56f66ff29262c809a49df6fa620a9b347cb6aa5a362958ead174a149e494d8adc9fc59c11c35082f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5CA1.exe

Filesize
16KB

MD5
a95e2c84370ff1dfb609ee39115bbdd8

SHA1
7eea90beefc2c56f051cb074ad58dacf5cc944fd

SHA256
a9d2736c07bfb345008d9c5973e835c91a3f2ec1d6c801fa1fd503401a2f6f99

SHA512
e9a82f1d736e8c33d77f0839f98073a6a205a2dcfa57abb2980784d28b611904baf3abc24d15587888fb13455043e558a56687940221fcfaa6a31eea0267923d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6D4.exe

Filesize
16KB

MD5
3f0979cca8ec8eaf51da0242c4f2ee9b

SHA1
99440aa109d76ece9e456a7966807688f17a47bb

SHA256
04288501ed320172d61de55a2df50d315574fb8878e79d9ef88df9ef5f7214e6

SHA512
ee36061352553abad2e18b526966c5e10c5c76fca9ddb13a16369257e75befca0e0714426f23c993402dc881dcc0505042f6ca509a775b7b2c3546b9445ddb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1C2.exe

Filesize
16KB

MD5
50819e96df607ac381a7c56e769845b6

SHA1
28d80afc17bc173b4efe7dff63b98d0fbea536d4

SHA256
73c82e2d175ede24a102fb74f0f686402c23234fbfcb82d45800b1f968af14bf

SHA512
9a07ae9ee413a3c89dfcee9c86fe983869dc852b0dde996396479258d219d2fab3d1b52b8b059049a72616f97b8d1a055dae1d019ebd437a29e8efac903b4f36

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6C4.exe

Filesize
16KB

MD5
243c6dc0a88a244bd0d44f7a377153da

SHA1
002b24ffd7e1fc3ddcee392e91acc5eec44ba5b3

SHA256
5e3439e40b7c26cc1961a590666ed83f31eb26bbe07cf21c117a55d5d08665ea

SHA512
3af0d5bb313256fa1ca1585a4b1508eca444ff3d18de65351e11a7db8ea8244c9a11a5f063e431abc920d27052b925e34ed0b79304795d79207aa82394fccc54

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB165.exe

Filesize
16KB

MD5
31cc612470b66b1191413d16a8c85265

SHA1
3e558f68f9ce25ba574e4c3b848356cac31260e0

SHA256
53059275192979b9f352910489fd05d26fa380a6263a6a592fe94eecf8234f97

SHA512
f6421d7d43623ec7ed765d7ab7fe70a82eb68a6dbe69beb7653971ae7b4e7913ecbdf8ff341eda2501e2ee0a52f12722a4b62bf2ed22c7f88b108d6013fd045d

Download Submit

Analysis

Sharing