c548fce4988535a63951bbb50b32ec4ed43ce6b148b281711b30172455f22ee3

General

Target

9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
Size

14KB
MD5

ec1f2785283bff449a44f590c6086ac4
SHA1

2d8724f981e87eea644b3e9199dd5a55f43ee35f
SHA256

9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193
SHA512

dee709041c9c19b791d0fcfa56dbddd6e311979f8c54a060985d528dfa5dc2661a45e445e8f529fb21f054766f2a661d1e49877c12434fe1acd17a964eca451b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfQw:hDXWipuE+K3/SSHgxmf7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2148	DEMAEC6.exe
1956	DEM435.exe
2756	DEM5937.exe
2628	DEMAE68.exe
2912	DEM3C8.exe
1084	DEM58E9.exe

Loads dropped DLL 6 IoCs

pid	Process
1644	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
2148	DEMAEC6.exe
1956	DEM435.exe
2756	DEM5937.exe
2628	DEMAE68.exe
2912	DEM3C8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAE68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAEC6.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2148	1644	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	31
PID 1644 wrote to memory of 2148	1644	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	31
PID 1644 wrote to memory of 2148	1644	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	31
PID 1644 wrote to memory of 2148	1644	9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe	31
PID 2148 wrote to memory of 1956	2148	DEMAEC6.exe	33
PID 2148 wrote to memory of 1956	2148	DEMAEC6.exe	33
PID 2148 wrote to memory of 1956	2148	DEMAEC6.exe	33
PID 2148 wrote to memory of 1956	2148	DEMAEC6.exe	33
PID 1956 wrote to memory of 2756	1956	DEM435.exe	35
PID 1956 wrote to memory of 2756	1956	DEM435.exe	35
PID 1956 wrote to memory of 2756	1956	DEM435.exe	35
PID 1956 wrote to memory of 2756	1956	DEM435.exe	35
PID 2756 wrote to memory of 2628	2756	DEM5937.exe	37
PID 2756 wrote to memory of 2628	2756	DEM5937.exe	37
PID 2756 wrote to memory of 2628	2756	DEM5937.exe	37
PID 2756 wrote to memory of 2628	2756	DEM5937.exe	37
PID 2628 wrote to memory of 2912	2628	DEMAE68.exe	39
PID 2628 wrote to memory of 2912	2628	DEMAE68.exe	39
PID 2628 wrote to memory of 2912	2628	DEMAE68.exe	39
PID 2628 wrote to memory of 2912	2628	DEMAE68.exe	39
PID 2912 wrote to memory of 1084	2912	DEM3C8.exe	41
PID 2912 wrote to memory of 1084	2912	DEM3C8.exe	41
PID 2912 wrote to memory of 1084	2912	DEM3C8.exe	41
PID 2912 wrote to memory of 1084	2912	DEM3C8.exe	41

C:\Users\Admin\AppData\Local\Temp\9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe
"C:\Users\Admin\AppData\Local\Temp\9f30cd4d40e15496b6c3c8640e54d66607f233bb7f8ea42c014e25659ce31193.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\DEM435.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM435.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\DEM5937.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5937.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\DEMAE68.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE68.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\DEM3C8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\DEM58E9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM58E9.exe"
        7⤵
        Executes dropped EXE
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C8.exe

Filesize
14KB

MD5
0c50d0bec4f4b7e06f87fd01192a68be

SHA1
7ff382317055a65e073db8a940327c0e35a7e65b

SHA256
d418f6c46c54d64a0da9893136b63d16ffe58e017473573b0d71fa20c10cc02c

SHA512
e70c5dde41749fd943c021599331ddab954553af531af2e715c7cd011bc92d18413d33b72ab2406bc1c86cd0098859e932b0608d65fb97bd44afaa58151d16ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM435.exe

Filesize
14KB

MD5
985a297b766a50d545b0ddb43cc6d576

SHA1
d2d2cfca1810e206f664e68145c43bdb4350eadc

SHA256
bf2d7a1d0c7861ee73146dad48302c708daf7e9e615cd5ea44968428e78bd788

SHA512
6940f18f23a5aa3f9571eded7281cc5d200edadfe47c6b76063732cd2ad2eae6ca6480d4778621befedd7abfbc3f681cc28272439070a7bbecf3ce245caf4e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM58E9.exe

Filesize
15KB

MD5
5dfc9c38829b74ae006905d4b15ba91f

SHA1
082399c1d73cc35cef3eea252fb2be12b4a0aace

SHA256
9f363138196ba658d1d1060b4194b9d4b655bb807267682045dbd6ee4591d601

SHA512
cbdbecdef1d05cd601b16cc7bd2af7d79d8c3f5bcd69fd134427a6d8a67523ad5e40bf986a702137e464783b7015eeb464675accc240d27463f226d6678c7455

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5937.exe

Filesize
14KB

MD5
543e23ec22cdacb7b90b57a72d2db4c6

SHA1
6b43f85cbdea5d544f48c6640d05baa2ea10a1e7

SHA256
9a3e64faacb15d717529905d870f9e834edea9c27e180e2cbae60173a59d4a24

SHA512
e98530eefdb88b1d6b8cd844a3987f065e032b0ff54393b1c06fea1cdbfbac1370e73570cad60c1b8c3d4d5fa53136b2297c2911d4864a3ad68e8bdc4befc204

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAE68.exe

Filesize
14KB

MD5
9fde1215804013ca99d9d4d340419475

SHA1
e63e440d9d8c05d6c37efc7bf97990587705d6bd

SHA256
d0764087ffe37b12bc9d7d769d083b4ce0fa5917ea8c42a5a8b155bf71f336c4

SHA512
dea3688ba389f09cd89f34f7332eee89ecbc14afc97a66491adc2113fc06155f8586ad9761f263f4ad746e5122efafb4aa0ea2d72c441571473aa3ff4e23cd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe

Filesize
14KB

MD5
94ba415e6ccd0bd56adfd2092b428208

SHA1
0507ea8ce98aedaf7b442d6c64c650855234c527

SHA256
dc4b8bd2013f930ac597f0729224325a9acfb9edff38ae485ae1500826d8a545

SHA512
9eea0f403919fe7490c704b63453816a12d68445f4ee275c4afda11771f1e0baab9135356fd71854b0817de28b885a15b3ac7dd9e90254402d4992cd0717a378

Download Submit

Analysis

Sharing