85a5da72c9f70afeed5bd8729f01d2e11ff6a4aa6cc288155b54f8fe6b5f0e6c

General

Target

7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
Size

15KB
MD5

a2b031369fdf150f953a9ebb0b023436
SHA1

9469226820ab5540f2c2fba8543d2f3eabb2c17f
SHA256

7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595
SHA512

565cb3ef1a508bf9342d0ba74df664f728ee03742206ee74ebc4fbe093a9edb1bfd6a08baa4af40ad7fedb9dfbb7390c6e3489e8139941fbb44426d7a5744505
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6Qi:hDXWipuE+K3/SSHgxmyh6Qi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2648	DEM3C64.exe
2516	DEM9195.exe
604	DEME6A7.exe
2216	DEM3C36.exe
2240	DEM91F3.exe
1696	DEME762.exe

Loads dropped DLL 6 IoCs

pid	Process
2916	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
2648	DEM3C64.exe
2516	DEM9195.exe
604	DEME6A7.exe
2216	DEM3C36.exe
2240	DEM91F3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9195.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME6A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM91F3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C64.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2648	2916	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	31
PID 2916 wrote to memory of 2648	2916	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	31
PID 2916 wrote to memory of 2648	2916	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	31
PID 2916 wrote to memory of 2648	2916	7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe	31
PID 2648 wrote to memory of 2516	2648	DEM3C64.exe	33
PID 2648 wrote to memory of 2516	2648	DEM3C64.exe	33
PID 2648 wrote to memory of 2516	2648	DEM3C64.exe	33
PID 2648 wrote to memory of 2516	2648	DEM3C64.exe	33
PID 2516 wrote to memory of 604	2516	DEM9195.exe	35
PID 2516 wrote to memory of 604	2516	DEM9195.exe	35
PID 2516 wrote to memory of 604	2516	DEM9195.exe	35
PID 2516 wrote to memory of 604	2516	DEM9195.exe	35
PID 604 wrote to memory of 2216	604	DEME6A7.exe	37
PID 604 wrote to memory of 2216	604	DEME6A7.exe	37
PID 604 wrote to memory of 2216	604	DEME6A7.exe	37
PID 604 wrote to memory of 2216	604	DEME6A7.exe	37
PID 2216 wrote to memory of 2240	2216	DEM3C36.exe	39
PID 2216 wrote to memory of 2240	2216	DEM3C36.exe	39
PID 2216 wrote to memory of 2240	2216	DEM3C36.exe	39
PID 2216 wrote to memory of 2240	2216	DEM3C36.exe	39
PID 2240 wrote to memory of 1696	2240	DEM91F3.exe	41
PID 2240 wrote to memory of 1696	2240	DEM91F3.exe	41
PID 2240 wrote to memory of 1696	2240	DEM91F3.exe	41
PID 2240 wrote to memory of 1696	2240	DEM91F3.exe	41

C:\Users\Admin\AppData\Local\Temp\7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe
"C:\Users\Admin\AppData\Local\Temp\7c423087c6d919f9224085bee9cd4c906d992513df77f91b0fd8b6616aae2595.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\DEM9195.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9195.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\DEM91F3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM91F3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\DEME762.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME762.exe"
        7⤵
        Executes dropped EXE
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C64.exe

Filesize
15KB

MD5
0a9f8375095507133726c7fcc3e4d0c2

SHA1
0412663ca416b0d6f2a5ec80582ae5167dee3677

SHA256
3e18606b25de011450874c067778aff309c5590d3b75fbc41cc0a5a721ca7b4d

SHA512
bfca718d97e477ab1b371f0de6e20795fae4a8068fb5e083505f039e23ac95392bb5be511861782eda52e1bf7063761589c6b5f1d6b494346318ae46e55a9f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9195.exe

Filesize
15KB

MD5
98a4548ea4f7e5a8635fceef9632f20e

SHA1
4a268d4850f2f034f0f6d1d552077c172b57bcfc

SHA256
9ce96d00ae7c6e8d354184f7266900d81628f8b5071f7c09c296926b719b6037

SHA512
756f002bdb13a9882314e6c2ea83caf4a80a109c304e93cdb7862edfa7b3e1237acc14f13bb75e43cc8cbf533447e08484a88598a7da9d11a343cbdb1f126cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91F3.exe

Filesize
15KB

MD5
47803f056d58468340d02636dda35a80

SHA1
67bc4a9a82efb96c29a72e5f7077acc6073bef58

SHA256
f75068def4d7d9511f772c59b9d34c89c73bd7047a71e447f2e5e53eb3dd1789

SHA512
72fc0201466f466fae58da1c50e50ee67f58c0f13b255652f98924770aa0f2acc32083284797127d4db8c9ba94ef0757b38361416c1a71e2d26a2207d06bed05

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME762.exe

Filesize
16KB

MD5
2f04d649d7d767c02a0eaa6d32a4d738

SHA1
6221215d028f02277fd3a9582b50514f78874ad1

SHA256
d977cb86c65a53290c16faad2747c11193ed6cf5cdbc32d2d118d7fa1bd4d79b

SHA512
eb412133ff6575d99f99d2ac45a77251fbbe8002dc71ff3b58072df8137df3cfa14536ba409071b9fe8f34e1b2fbbfd37dc18daebfa5ef8c7913a95033d83cae

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C36.exe

Filesize
15KB

MD5
ca5657af5084912627ba55bb896a2f0f

SHA1
eab1bcef659c3edfa2d2561808ff8e18902f7d01

SHA256
63fd9d51c94ea16f2d29011665dcda454acc326b8ee9ea537543a162c2545dd5

SHA512
634981e7f5d192304047749b0880274f0da7c4b56193c555c80ac4d8741319bcbcc402cb6e3c62456c0b734bf5b310c66c14203e49689a3b4697438a148d1e9f

Download Submit
\Users\Admin\AppData\Local\Temp\DEME6A7.exe

Filesize
15KB

MD5
7de88acb9eb8c8c6e7a6cffe0369e84d

SHA1
a3ab4e2c7f5628271b79ff9235a3b4fefc5c3e66

SHA256
46a6e72600c567f814f0fd8a23f6dff4041903d5e787b644701911fcb9c33600

SHA512
76eb927284d2897d6993c00c1f24f75e08adc344a8b2a56a75ec5500e194be2acbcdd9ded834268dda2ec89627fa4f5ce8443d132385c40dcce98e306c86af1f

Download Submit

Analysis

Sharing