422963d4d341eab1542c58c7708a436e0d453df38d543128a1ed740ff71bcb2e

General

Target

8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
Size

14KB
MD5

5c118ac87060f6f205cc4793b8a9500b
SHA1

f50ed9d66033353357224576efcb2666ba9b9821
SHA256

8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d
SHA512

e51e224e68ad37d25358d07dd2bd7fa021531130e6f3d1562a14119a6013538e444a1818969ea788c3df9e475c31b310d91a156a18b1d4c8796cadc1a3c2b2e6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRlGV:hDXWipuE+K3/SSHgxoV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2308	DEMC929.exe
2228	DEM1E5A.exe
2780	DEM7465.exe
2240	DEMC996.exe
2756	DEM1ED6.exe
1860	DEM74E2.exe

Loads dropped DLL 6 IoCs

pid	Process
1928	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
2308	DEMC929.exe
2228	DEM1E5A.exe
2780	DEM7465.exe
2240	DEMC996.exe
2756	DEM1ED6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1E5A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7465.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC996.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1ED6.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2308	1928	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	31
PID 1928 wrote to memory of 2308	1928	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	31
PID 1928 wrote to memory of 2308	1928	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	31
PID 1928 wrote to memory of 2308	1928	8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe	31
PID 2308 wrote to memory of 2228	2308	DEMC929.exe	33
PID 2308 wrote to memory of 2228	2308	DEMC929.exe	33
PID 2308 wrote to memory of 2228	2308	DEMC929.exe	33
PID 2308 wrote to memory of 2228	2308	DEMC929.exe	33
PID 2228 wrote to memory of 2780	2228	DEM1E5A.exe	35
PID 2228 wrote to memory of 2780	2228	DEM1E5A.exe	35
PID 2228 wrote to memory of 2780	2228	DEM1E5A.exe	35
PID 2228 wrote to memory of 2780	2228	DEM1E5A.exe	35
PID 2780 wrote to memory of 2240	2780	DEM7465.exe	37
PID 2780 wrote to memory of 2240	2780	DEM7465.exe	37
PID 2780 wrote to memory of 2240	2780	DEM7465.exe	37
PID 2780 wrote to memory of 2240	2780	DEM7465.exe	37
PID 2240 wrote to memory of 2756	2240	DEMC996.exe	39
PID 2240 wrote to memory of 2756	2240	DEMC996.exe	39
PID 2240 wrote to memory of 2756	2240	DEMC996.exe	39
PID 2240 wrote to memory of 2756	2240	DEMC996.exe	39
PID 2756 wrote to memory of 1860	2756	DEM1ED6.exe	41
PID 2756 wrote to memory of 1860	2756	DEM1ED6.exe	41
PID 2756 wrote to memory of 1860	2756	DEM1ED6.exe	41
PID 2756 wrote to memory of 1860	2756	DEM1ED6.exe	41

C:\Users\Admin\AppData\Local\Temp\8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe
"C:\Users\Admin\AppData\Local\Temp\8048c9a02745ad0e16347e5edf90f30abd3f8285b66e8cd9ecfdaf81c68f2a5d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\DEMC929.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC929.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\DEM1E5A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1E5A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\DEM7465.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7465.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\DEMC996.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC996.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\DEM1ED6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1ED6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM74E2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1E5A.exe

Filesize
14KB

MD5
d3e141fe6b371d68ad066f87c839088a

SHA1
5ce060e712b676013c2d1557bf87cc40ef6401ce

SHA256
bbdcd07fefb04bf8e5af34bee53f2e3d06018a5ea874f58c002d50c88e4d27e0

SHA512
abfa077f30d8d834f7385ffe3afbc2bb4fa361c5452d2e6fa9de132593114a3f62264155149ccd2f206838a94eacd6a3b39f2befb4525a228f077cae7950ecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1ED6.exe

Filesize
14KB

MD5
f01262a8fd54968ffac6ed8b87930445

SHA1
4492598d7078d4d20146b02845def835725ab442

SHA256
cad833e975dcdddf197123dac8cd26eb6bcc1fbe5eae627e5f44f011403ac852

SHA512
828e81eb2430c0772374183290718ae48399c5393f75c6ab41eabd492e28478c3efbbb0bc6a6f4ada2079612ea07c93a981bc03af27d13b3caf2c6259b348f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC929.exe

Filesize
14KB

MD5
b7d0312dd820b8bd3e80baea73697da3

SHA1
f6d7303fb01a57418c70a7098939af219d8802c1

SHA256
864662e7e17a8748a8ee47138d81807d6902b3df93a2a11d6d0f99b51b396185

SHA512
fe9f2cd19f0d0555ee564536a261b0dbf41b2df4d76a525f0fbc016fa6bb1dff242432514ceee2800ed507cead0c65065526732e2bd09bdc9df7fc860a00d9cc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7465.exe

Filesize
14KB

MD5
97b28f25091a1a2f9319011c29404bca

SHA1
f38b39db509ad9c890662c28e55081d5ad020247

SHA256
570b4b55214e0aeda3a3fa4dcbb2f872db1c44b0ac69a132ad8ccb384928b9b6

SHA512
3c101839ee1030f56b7aff8f31409ff885564eda382f4e089a65dd50a7af6be50a8a75810f37b4b6665b7fcc5cc0e429b4ad0a0542b0d4ce0e0372c7b66d3f46

Download Submit
\Users\Admin\AppData\Local\Temp\DEM74E2.exe

Filesize
15KB

MD5
0308441878fec789c4eb25409f011372

SHA1
e93e42bcca79e99a75013d6ae2af62be2db8e10c

SHA256
0e0e52bdc354ecb4b38d0d9e57d87827406494a821fa426435bb2f64d8f8aae9

SHA512
4e48b46444dd28e7fbcd951b2dab3afe35bef72754c83c565567e6c260b83b11cad43d7aa0bafba7a9a4d929a2cc40c6aa311cc13f24fd270c74cfd577dcc914

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC996.exe

Filesize
14KB

MD5
46a6178ffa7ae930f7b20a6fc9176bde

SHA1
92d4cf57057e384562e0d29580f2e5246f9855d7

SHA256
5b884930d022d308c355ca2b770eeb5113095315708575225289d4bfc0af4872

SHA512
69c6cdc4549f3572245b3cef53c0554c742ed9189efbc3e3f6aa4c5417fcfa98fa39c36e7b8014f265c9ae046c198d722898e596b06706a338f4e5bd93dda4c4

Download Submit

Analysis

Sharing