7adc97cf9381af4436a65c2b81133fa3875d2a15ab84274d4e75fa9cdcc812b6

General

Target

6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
Size

14KB
MD5

c1dc82e8bccf41b3034319d13c6b17b9
SHA1

9c06a9ff8da37f825a20a3e59ec36c8f66f82f68
SHA256

6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d
SHA512

df8302a4c42c11688226bd78ce23cd5df1596607dddbcafd81d9b87060df29e508a960b6ba1904c52b415760330c5e368da7bb0d87f0657b6121ba4d92003c8d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfQI:hDXWipuE+K3/SSHgxmfT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2760	DEM78E7.exe
2244	DEMCE57.exe
480	DEM2397.exe
1968	DEM78A9.exe
1052	DEMCE28.exe
2260	DEM2398.exe

Loads dropped DLL 6 IoCs

pid	Process
1824	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
2760	DEM78E7.exe
2244	DEMCE57.exe
480	DEM2397.exe
1968	DEM78A9.exe
1052	DEMCE28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78A9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM78E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCE57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2397.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2760	1824	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	32
PID 1824 wrote to memory of 2760	1824	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	32
PID 1824 wrote to memory of 2760	1824	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	32
PID 1824 wrote to memory of 2760	1824	6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe	32
PID 2760 wrote to memory of 2244	2760	DEM78E7.exe	34
PID 2760 wrote to memory of 2244	2760	DEM78E7.exe	34
PID 2760 wrote to memory of 2244	2760	DEM78E7.exe	34
PID 2760 wrote to memory of 2244	2760	DEM78E7.exe	34
PID 2244 wrote to memory of 480	2244	DEMCE57.exe	36
PID 2244 wrote to memory of 480	2244	DEMCE57.exe	36
PID 2244 wrote to memory of 480	2244	DEMCE57.exe	36
PID 2244 wrote to memory of 480	2244	DEMCE57.exe	36
PID 480 wrote to memory of 1968	480	DEM2397.exe	38
PID 480 wrote to memory of 1968	480	DEM2397.exe	38
PID 480 wrote to memory of 1968	480	DEM2397.exe	38
PID 480 wrote to memory of 1968	480	DEM2397.exe	38
PID 1968 wrote to memory of 1052	1968	DEM78A9.exe	40
PID 1968 wrote to memory of 1052	1968	DEM78A9.exe	40
PID 1968 wrote to memory of 1052	1968	DEM78A9.exe	40
PID 1968 wrote to memory of 1052	1968	DEM78A9.exe	40
PID 1052 wrote to memory of 2260	1052	DEMCE28.exe	42
PID 1052 wrote to memory of 2260	1052	DEMCE28.exe	42
PID 1052 wrote to memory of 2260	1052	DEMCE28.exe	42
PID 1052 wrote to memory of 2260	1052	DEMCE28.exe	42

C:\Users\Admin\AppData\Local\Temp\6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe
"C:\Users\Admin\AppData\Local\Temp\6ee3ad880ca165e955278b7b94a5853a1785eb181a1592dce318fde748c1648d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\DEM78E7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM78E7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\DEM2397.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2397.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Users\Admin\AppData\Local\Temp\DEM78A9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM78A9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\DEMCE28.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCE28.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\DEM2398.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2398.exe"
        7⤵
        Executes dropped EXE
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2397.exe

Filesize
15KB

MD5
71ca6461fb971b24814cd4e19d79180f

SHA1
9d80adcbfa86532f0ad5d7a437fc0f3602d50f8a

SHA256
6dcedf8ce43618052a98d093a28d0099abd132394b8718e32c5ffe982e12b7f1

SHA512
02172b3ee41e3bb77de8eef2c7571218606241f35d440f266675fa8c497e01238f673d93fc4f29bc3a04ed883babf1af2fd21f33bfe10effa8c5bedf58b4fe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCE57.exe

Filesize
15KB

MD5
44ae60c5be0565608929cb6a153939d8

SHA1
934c47693c2199eac9f6c75663e5d7c2ede74477

SHA256
abb01f1a1dfb21e3e61f6d5723879a4caaa246c76162a74b5c7989ccd84d6976

SHA512
44668bd897fb2546d6b539e2fa40f471063889222ee338d9e7b6058577e7bb058ad2682b6eb21bcacd2766768a3167c268f3fcf35a3bc0d3409d331b73f942de

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2398.exe

Filesize
15KB

MD5
e3b84742fdda5ebcda5a12d3c739ce97

SHA1
cd5abed0a565830ab9b890daf564a61e1761a39f

SHA256
72b66ee0b232180916ad86c7e2bf59a63f96f17c249851d4607674007e591424

SHA512
760484d75e9aaa404a485c3322aede16b686f12fb846473d19e116276154636e0c3e3cf1dc68eb5008b40bcc49cebfa08c51e69971f0b4ad9f692287792388aa

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78A9.exe

Filesize
15KB

MD5
8a13ff4369dce46101b41dbaa7527278

SHA1
073d42d020fcf83ed82c5cb28dcc23830e66eee8

SHA256
df944df01e67e091dcba46be45efb34adb1bb244391778a578c14a7214468eed

SHA512
628f32f6edb2a1c74a141c99e9e4402d0ff7e3adf52bd474b2f6b0c9448d0c3657a6f10330864aef2f4f3ce6c07397def416084933eb7148c27295177e52e64e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM78E7.exe

Filesize
14KB

MD5
40fac4b6b6007d32b78b9bcc2693edff

SHA1
364f9e40429899b6e55ce4ce24e6ad254acd7a60

SHA256
db7efa096835ae62beac0f258ab0089a7bedd51b38f46250b3707684602f2c78

SHA512
bd63d33a5ae12d8e62c2fffa9b7f9c95861c072d4eb0bfded5c42f3623c7a4c48ddc67affd90d8808eb974bc284702c04c043618b9b0ac5efe3dad7e598444a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCE28.exe

Filesize
15KB

MD5
f8e212ecba3193d3a9d0f4fae65dc892

SHA1
2d8741e957dfa831f7b907ec5f1041fdb37934a6

SHA256
599a20a6a87a5ee0ea56477e05839e9af5e59bea2bf05610b495959c2090d399

SHA512
9b12ab75f814ec4989a0c1edac69d4b21144ce21ce50f42614a5283ad098e6c3ac45f51025a0ed5ffca5c0e0884abed31f56aaca4dd9ab9197d70f6e983eab44

Download Submit

Analysis

Sharing