3dbc7dc6b767c8ff13944cb3a642355999f5fe4b6db8ab339dad0273559834f3

General

Target

0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe
Size

20KB
MD5

6fca0d0c4e4230b1b5b00f49926367de
SHA1

4dfcf3082e6264c60ade4e523acd9a869c2c6977
SHA256

0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe
SHA512

45023de87ab048b3f5aa46f86499cdb1808ae609df786b0bbf9ed7c475736b2f74ee1864489ab3ad6a3130fa23a68b4d4fa805bd3229b0798895e1d0b15355fc
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4np:hDXWipuE+K3/SSHgxmHZnp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2700	DEMEC33.exe
2548	DEM4164.exe
2876	DEM9666.exe
844	DEMEBF4.exe
1888	DEM4192.exe
2964	DEM9702.exe

Loads dropped DLL 6 IoCs

pid	Process
2732	0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe
2700	DEMEC33.exe
2548	DEM4164.exe
2876	DEM9666.exe
844	DEMEBF4.exe
1888	DEM4192.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEC33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9666.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEBF4.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2700	2732	0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe	32
PID 2732 wrote to memory of 2700	2732	0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe	32
PID 2732 wrote to memory of 2700	2732	0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe	32
PID 2732 wrote to memory of 2700	2732	0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe	32
PID 2700 wrote to memory of 2548	2700	DEMEC33.exe	34
PID 2700 wrote to memory of 2548	2700	DEMEC33.exe	34
PID 2700 wrote to memory of 2548	2700	DEMEC33.exe	34
PID 2700 wrote to memory of 2548	2700	DEMEC33.exe	34
PID 2548 wrote to memory of 2876	2548	DEM4164.exe	36
PID 2548 wrote to memory of 2876	2548	DEM4164.exe	36
PID 2548 wrote to memory of 2876	2548	DEM4164.exe	36
PID 2548 wrote to memory of 2876	2548	DEM4164.exe	36
PID 2876 wrote to memory of 844	2876	DEM9666.exe	39
PID 2876 wrote to memory of 844	2876	DEM9666.exe	39
PID 2876 wrote to memory of 844	2876	DEM9666.exe	39
PID 2876 wrote to memory of 844	2876	DEM9666.exe	39
PID 844 wrote to memory of 1888	844	DEMEBF4.exe	41
PID 844 wrote to memory of 1888	844	DEMEBF4.exe	41
PID 844 wrote to memory of 1888	844	DEMEBF4.exe	41
PID 844 wrote to memory of 1888	844	DEMEBF4.exe	41
PID 1888 wrote to memory of 2964	1888	DEM4192.exe	43
PID 1888 wrote to memory of 2964	1888	DEM4192.exe	43
PID 1888 wrote to memory of 2964	1888	DEM4192.exe	43
PID 1888 wrote to memory of 2964	1888	DEM4192.exe	43

C:\Users\Admin\AppData\Local\Temp\0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe
"C:\Users\Admin\AppData\Local\Temp\0ecbb21e9c4fae1a66f217f3441975088e13f6418e7f15b9351fa2c705345bbe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\DEMEC33.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEC33.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\DEM4164.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4164.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\DEM9666.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9666.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\DEMEBF4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEBF4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\DEM4192.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4192.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\DEM9702.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9702.exe"
        7⤵
        Executes dropped EXE
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4164.exe

Filesize
20KB

MD5
ac62d36391fe23914a346140288c7f09

SHA1
3b4fcdbd3d11c58b5eeba7950609595235c2af28

SHA256
cd5e6089d90294b6e2c7e8582c31e60d5b0cb8f98e63215d758e6eec3f626622

SHA512
8ca8455914433ec0d5493427ddc391bac4d90e872fe1b3bb6ba879c97cd1aeda95f05914faeaac263a773232cd0f2bd2b44c46e23935e06b3ec16302d99d0e6f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4192.exe

Filesize
20KB

MD5
208ba98be4e307a9095360ff258b4979

SHA1
e4e26922f27d339e5fea0670d1a376eca5efe24c

SHA256
e249919e141a86e43acc6500173623741e3aecec1242a2067ecc8545b9c802b5

SHA512
4eaa857e5852b89d946ae3167f97630fe00663e208d57a499f9ac3e11f8a73929ad6d1a4354a9904ef68794fbfafbfa5186ebd44212cf7a33149749645a7e549

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9666.exe

Filesize
20KB

MD5
71f90f40f065be68437cf0430332fdb1

SHA1
0264c0cbc98a49f2839b4629a12217d327249a7a

SHA256
99f6244ed96429ac238cd83e921cbaadadea3aa18fd182ebe620e177b360a8f2

SHA512
986f1e7d7d352d5429e1f2987aee78bad1d23d1e4480d7c5dfa3ba2ce70c35da981cf8ea7f4c57b0509fcc1f5a76f824e72e1755d87d6591a23415abfef0b3f0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9702.exe

Filesize
20KB

MD5
b2e94352339f78be377ffc903aeb3836

SHA1
6e9421b7ba64126c3daf1065ae9075956e27c647

SHA256
a0a2aa10af70a1549f953cdebe729e5c9dd3c92dc036a9d63c4baa9a1b7cc8d0

SHA512
64ee6cc68226c6791c8ab8952923f58b04129004e155662a6a1f4f9165285bc54130d59673745bade4cd5ba75829b1696f9640b99dafcf5efb2b8dd8b799528e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEBF4.exe

Filesize
20KB

MD5
c3dafb44bc6a25412894a0838b9bb4d9

SHA1
42ae3cf1a4251419ac799167cf51b161c76a7268

SHA256
2032c1b99e17a867aa9ce11633af5e7c4b6ea2b08be30ab83aba6be095f66231

SHA512
86b972e42402b8b0f8cd9fed27967ebeb17343b2ad78ac70f77d81960162844996cda38ba5fc6b4a0ae482b17b7f0e38be5186f6ac2371521692b4efd6a7f621

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEC33.exe

Filesize
20KB

MD5
d5d6e12ddd7291a75dc761a05ca215be

SHA1
d75fb85426a15374bd10bf59f4af75c2a28cc007

SHA256
05c1a6874becec7dc4d2d59127bbf62d2ae8f72690fb9b281650c480cad97aaa

SHA512
087ed1aec4397d5a24183b257922c36e4af76d693955fe53d989234973c071a153da5cb82912c51f170c9f53b03b06ddedb220ca73cbb2b8e12fab88bd126afa

Download Submit

Analysis

Sharing