84ddaa0591adf4afe5eebdb3a9dd22a50f46a200829afdb49875de9fd4f0bfcb

General

Target

1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe
Size

14KB
MD5

b88828bb90c23342fca74b2e0f7a8491
SHA1

12dee435022fa6e516eeb5281e47cd362844dbe9
SHA256

1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed
SHA512

16a39b324fc33a0b62603be60470bf75c9cb7fbde4ecd4ba2e717069a7f91423367c7370a6485828f0b1fdd1f52b2b8015a01de9a65e0810dbcf3274730eb1b7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJBX:hDXWipuE+K3/SSHgxmbX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2068	DEMB451.exe
2684	DEM9B1.exe
1404	DEM5F40.exe
1040	DEMB4CE.exe
1316	DEMA2E.exe
816	DEM5F7E.exe

Loads dropped DLL 6 IoCs

pid	Process
2484	1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe
2068	DEMB451.exe
2684	DEM9B1.exe
1404	DEM5F40.exe
1040	DEMB4CE.exe
1316	DEMA2E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB451.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB4CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA2E.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2068	2484	1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe	32
PID 2484 wrote to memory of 2068	2484	1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe	32
PID 2484 wrote to memory of 2068	2484	1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe	32
PID 2484 wrote to memory of 2068	2484	1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe	32
PID 2068 wrote to memory of 2684	2068	DEMB451.exe	34
PID 2068 wrote to memory of 2684	2068	DEMB451.exe	34
PID 2068 wrote to memory of 2684	2068	DEMB451.exe	34
PID 2068 wrote to memory of 2684	2068	DEMB451.exe	34
PID 2684 wrote to memory of 1404	2684	DEM9B1.exe	36
PID 2684 wrote to memory of 1404	2684	DEM9B1.exe	36
PID 2684 wrote to memory of 1404	2684	DEM9B1.exe	36
PID 2684 wrote to memory of 1404	2684	DEM9B1.exe	36
PID 1404 wrote to memory of 1040	1404	DEM5F40.exe	38
PID 1404 wrote to memory of 1040	1404	DEM5F40.exe	38
PID 1404 wrote to memory of 1040	1404	DEM5F40.exe	38
PID 1404 wrote to memory of 1040	1404	DEM5F40.exe	38
PID 1040 wrote to memory of 1316	1040	DEMB4CE.exe	40
PID 1040 wrote to memory of 1316	1040	DEMB4CE.exe	40
PID 1040 wrote to memory of 1316	1040	DEMB4CE.exe	40
PID 1040 wrote to memory of 1316	1040	DEMB4CE.exe	40
PID 1316 wrote to memory of 816	1316	DEMA2E.exe	42
PID 1316 wrote to memory of 816	1316	DEMA2E.exe	42
PID 1316 wrote to memory of 816	1316	DEMA2E.exe	42
PID 1316 wrote to memory of 816	1316	DEMA2E.exe	42

C:\Users\Admin\AppData\Local\Temp\1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe
"C:\Users\Admin\AppData\Local\Temp\1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\DEMB451.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB451.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\DEM9B1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9B1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F40.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F40.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\DEMB4CE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB4CE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Users\Admin\AppData\Local\Temp\DEMA2E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA2E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe"
        7⤵
        Executes dropped EXE
        
        PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe

Filesize
15KB

MD5
8dc69cf7263f296d8959651974848712

SHA1
bf7cf42406cbf7f2a1f74140bd223c4f4200f761

SHA256
ceea2bb93dfd386dde30b4ea0030a27250096feca1777c9e3739b549ae797793

SHA512
c7dea0c84af45683cdf0c6d4da56659d0d97673cc776db5ef01e3f65aac56f83f4911f7b7b121201696a73122a211efb9db4fe57bf2c018ac129baebe2b7ee10

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B1.exe

Filesize
14KB

MD5
418c96ab97905c33b9911b20b2a13499

SHA1
bcba7fdee19f511057f5c560f3533af2cc67b65c

SHA256
ebab36315e1582afc596ab05b1bbb37d413f40f3b0f3f07d17c0f90f2fae9e17

SHA512
c17b0236293978528be78925daab4a060ca226a57c33a21a640513ae380ee53704917056467eef2cf78102fd22f31dad4527d5eacdf8b4a720a4ea25a2dbab83

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F40.exe

Filesize
14KB

MD5
2d1dba6f147bbc04148e75507a97e9e3

SHA1
760741c99419ba1c579e122020722e4283837dd9

SHA256
481f4234b49b79c40f2c8bae111c6457468fca7824ff704f3dda1d626c0ab175

SHA512
0a4df8f82627dbd8dcc439178cb199f2fd7f65a651228af950eb15dd87069d6aac91606957c13a72649c1623245a67ed45e707cafc44bcea9ba52aeff307fb5e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA2E.exe

Filesize
14KB

MD5
a8af9bf948e8c73b6adcb11a14ad3eaa

SHA1
9657c39ddcc4760eb935893f60d33e08f0c471c3

SHA256
ad266e5457a441abf8f2669d23b8a9263b6f8cef2d0e615d4493fbd5305d2b73

SHA512
3af2d7fa06a708ee2caa691b458350f631bbc97ec70b46b4a7cee680f73b38c505f1ad661b45d59c7a13c804f7964f4d6bade20f047294dcaa1ebcd15019f535

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB451.exe

Filesize
14KB

MD5
2e31e6670c4490e5a5eeaea27b24db6c

SHA1
e14756868e0a9c23176b5bbb769546bc0c9c506d

SHA256
72ce77194a689cd69e32fdd18b39aec7edc9a7cec4eae2b691d615f19d4ae04b

SHA512
3119bbd87f92bcf141deadd69a6f626ef75423a5f9be1ceb2f96406bcbd1cdc77b0ba865c273346b6a4fe4116cffdec98a5cc899d26c32653bd2e006bc59dba2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB4CE.exe

Filesize
14KB

MD5
2b1b0db873310222cc995d8d428ac43d

SHA1
a08325a6c401c4d1b6d69e6c7b1d5b312e3b5b70

SHA256
9b401b78603a5960db7132168eabbc38e3ac8e637d904e39af365073459f4f33

SHA512
91559241898579fc5a57eb8b8b9f61bd40c4f115495267acf70cfb41fbcfb4241d1928bbf3cdb787fbd03af3ddb6c71ef1451920779520c3b3c42e15a5f69546

Download Submit

Analysis

Sharing