9267520d1efe487124075b3e074ae45d0b2c3e9021d7d2ea9acea91dbc242b2f

General

Target

994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe
Size

15KB
MD5

2fa26120f865878128b70f3f1b6de013
SHA1

2b60ccab8333bdc71ccd9c2d537d189ad29b5cac
SHA256

994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc
SHA512

21cb0b6bb3d8e6851481205fd63f153c83317ded26fcff0161295b06fcb40bb3cf29c627ef69ded89447cbd2ed3131dc7edb68fd98927d6e879b6ca2fc858a5f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwJ:hDXWipuE+K3/SSHgx/wJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1788	DEM865F.exe
2732	DEMDBDE.exe
2328	DEM311E.exe
2592	DEM8640.exe
2940	DEMDBBF.exe
2228	DEM30D0.exe

Loads dropped DLL 6 IoCs

pid	Process
2976	994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe
1788	DEM865F.exe
2732	DEMDBDE.exe
2328	DEM311E.exe
2592	DEM8640.exe
2940	DEMDBBF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDBDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM311E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDBBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM865F.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1788	2976	994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe	32
PID 2976 wrote to memory of 1788	2976	994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe	32
PID 2976 wrote to memory of 1788	2976	994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe	32
PID 2976 wrote to memory of 1788	2976	994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe	32
PID 1788 wrote to memory of 2732	1788	DEM865F.exe	34
PID 1788 wrote to memory of 2732	1788	DEM865F.exe	34
PID 1788 wrote to memory of 2732	1788	DEM865F.exe	34
PID 1788 wrote to memory of 2732	1788	DEM865F.exe	34
PID 2732 wrote to memory of 2328	2732	DEMDBDE.exe	36
PID 2732 wrote to memory of 2328	2732	DEMDBDE.exe	36
PID 2732 wrote to memory of 2328	2732	DEMDBDE.exe	36
PID 2732 wrote to memory of 2328	2732	DEMDBDE.exe	36
PID 2328 wrote to memory of 2592	2328	DEM311E.exe	38
PID 2328 wrote to memory of 2592	2328	DEM311E.exe	38
PID 2328 wrote to memory of 2592	2328	DEM311E.exe	38
PID 2328 wrote to memory of 2592	2328	DEM311E.exe	38
PID 2592 wrote to memory of 2940	2592	DEM8640.exe	40
PID 2592 wrote to memory of 2940	2592	DEM8640.exe	40
PID 2592 wrote to memory of 2940	2592	DEM8640.exe	40
PID 2592 wrote to memory of 2940	2592	DEM8640.exe	40
PID 2940 wrote to memory of 2228	2940	DEMDBBF.exe	42
PID 2940 wrote to memory of 2228	2940	DEMDBBF.exe	42
PID 2940 wrote to memory of 2228	2940	DEMDBBF.exe	42
PID 2940 wrote to memory of 2228	2940	DEMDBBF.exe	42

C:\Users\Admin\AppData\Local\Temp\994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe
"C:\Users\Admin\AppData\Local\Temp\994508210025407f04c068a84bbb7b253995bee154fc00958fa7ce0bd8fe14dc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\DEM865F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM865F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\DEMDBDE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDBDE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DEM311E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM311E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\DEM8640.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8640.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\DEMDBBF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDBBF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\DEM30D0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM30D0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMDBDE.exe

Filesize
15KB

MD5
caf7aec17c33d281894612efec689014

SHA1
b1d91f2478c2c9b1c335d3c68898915e29f9a2a2

SHA256
82561fb440b210ba76609f9cf1b833e1d556e64093858d09a0322b7fbc84e69c

SHA512
a6775a5c87266ee216e3b05866b5ba9bbc3350c1af983307379cd87f623ba570d71d1d43a2e8440f03496cc2cf5eebc1ccb8a1912bf25d464ab2bd4f87243e4f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM30D0.exe

Filesize
15KB

MD5
3796002f91f4820b733aa9eceabb9dc8

SHA1
36218d36aa9cb48b37d3526a29c23829151f6968

SHA256
3ae5e628d235430554599f8c86dfbc143b04b92567da24f7340b7250e5e9b71c

SHA512
e07c70a9c2c96937403755722141605b918c762bfc634635766754f7a6338b005ccfa112185751f26b1b4ed57bc28a44d1e2ac6b53e7c9717599253fbca439a0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM311E.exe

Filesize
15KB

MD5
bca231ce7587a42a8f8253244cef410c

SHA1
95b3051b8851817a54dafcfcdb4a2120070d05c7

SHA256
30f65a90b2e611d39053a1d27a6d104d969abdad1b9f5bec457b9bb48dcb65d9

SHA512
3a9c363480519fe2c532911eab3f577111179f7c041a23c45939dc79c60ff0e4d730132a8edbc4b496a0893aaed43352456bd624595a1b2cae5bcd8f4e4b7d5d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8640.exe

Filesize
15KB

MD5
57b88af9c7b5debf89e3b73b2ce7427f

SHA1
41ceda7c1d46e0ada14e36ed708dfa1c1a49368f

SHA256
f0bc9e23c3edb2be86fb4cb07d749961ca6bb74a15caa5ef53a1c8559ff09123

SHA512
2f068980095f7cca2f59103a881be45fa44d3e62f36b35b7b3d72246d366bdfb0e945168d49f845ef504a0305fa4174a66b19675c8ef2c43b95a03347d60e52a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM865F.exe

Filesize
15KB

MD5
e9b4a776f260ef03c95ce4db14a4fd06

SHA1
6f7e81d8da5684e9487e1f8567eef16e6830254d

SHA256
d04cef3e432e7e523eb6915aaea70411922435a03a6ae9fe9833fc92c4eb4306

SHA512
7c77c4a0fb5e168c49656e855e044fcfe92333305fd6efb684c7002f9eea9bd06a996ebfe58fc2a449a97befc6e26c90cddd24032f89743423d9cb312624d1be

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDBBF.exe

Filesize
15KB

MD5
9ab997efce8998dcad1d39007698de7b

SHA1
6598e9f7203a3a4b11ad6a5272251740a1283a07

SHA256
22ffca2a101b0715ea5c3fc2d4175a680d03568f5b2409a79ded2edadaaeffe1

SHA512
d33cabe74e9fbccc403a651a49f11417ee9b6aafb1efa880954ff648bfa3cc08ac7c6510f95f8806176f594ba5e18909df207406efbc8035bbbac5cae2a1ea0a

Download Submit

Analysis

Sharing