b78c8cdb190cde07aa1ada00865db6cea8341e32eda1e0d21ef7bda41ccc4e42

General

Target

683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe
Size

15KB
MD5

55b99d089bd440a2a1595e504d4216bb
SHA1

1c192f2534acc7a25f286cbda164419e5f0a1d83
SHA256

683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0
SHA512

8444fd47df99212ef0a5e9ed405f65b41bf4cf7beb97a01b19861f9b55e8dbe21223365017ec61405941c71c502168758409b6e2d4a489ecfbbb2bc8ce33e25c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/F:hDXWipuE+K3/SSHgx//F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2588	DEM259A.exe
2624	DEM7B29.exe
2368	DEMD079.exe
748	DEM25F8.exe
1064	DEM7B19.exe
2132	DEMD05A.exe

Loads dropped DLL 6 IoCs

pid	Process
2980	683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe
2588	DEM259A.exe
2624	DEM7B29.exe
2368	DEMD079.exe
748	DEM25F8.exe
1064	DEM7B19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM25F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7B19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM259A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7B29.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2588	2980	683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe	31
PID 2980 wrote to memory of 2588	2980	683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe	31
PID 2980 wrote to memory of 2588	2980	683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe	31
PID 2980 wrote to memory of 2588	2980	683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe	31
PID 2588 wrote to memory of 2624	2588	DEM259A.exe	33
PID 2588 wrote to memory of 2624	2588	DEM259A.exe	33
PID 2588 wrote to memory of 2624	2588	DEM259A.exe	33
PID 2588 wrote to memory of 2624	2588	DEM259A.exe	33
PID 2624 wrote to memory of 2368	2624	DEM7B29.exe	35
PID 2624 wrote to memory of 2368	2624	DEM7B29.exe	35
PID 2624 wrote to memory of 2368	2624	DEM7B29.exe	35
PID 2624 wrote to memory of 2368	2624	DEM7B29.exe	35
PID 2368 wrote to memory of 748	2368	DEMD079.exe	37
PID 2368 wrote to memory of 748	2368	DEMD079.exe	37
PID 2368 wrote to memory of 748	2368	DEMD079.exe	37
PID 2368 wrote to memory of 748	2368	DEMD079.exe	37
PID 748 wrote to memory of 1064	748	DEM25F8.exe	39
PID 748 wrote to memory of 1064	748	DEM25F8.exe	39
PID 748 wrote to memory of 1064	748	DEM25F8.exe	39
PID 748 wrote to memory of 1064	748	DEM25F8.exe	39
PID 1064 wrote to memory of 2132	1064	DEM7B19.exe	41
PID 1064 wrote to memory of 2132	1064	DEM7B19.exe	41
PID 1064 wrote to memory of 2132	1064	DEM7B19.exe	41
PID 1064 wrote to memory of 2132	1064	DEM7B19.exe	41

C:\Users\Admin\AppData\Local\Temp\683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe
"C:\Users\Admin\AppData\Local\Temp\683d8463572854b6e70a7416832bb07ed303cc06b445bd94b0f149cf6161c0a0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\DEM259A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM259A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\DEM7B29.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7B29.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\DEMD079.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD079.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\DEM25F8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM25F8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Users\Admin\AppData\Local\Temp\DEM7B19.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7B19.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\DEMD05A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD05A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7B19.exe

Filesize
15KB

MD5
9e8b98d8252b2d74f4bb0439da80dcca

SHA1
bca1f319b494abc8160a142f652ca49d45323d43

SHA256
c358ec570de9303e6dd1328f3539dfc4e7a1dcdf95ec02712bf6a94ab0746cc4

SHA512
e807fcd092d095a779b1806981c1b845bab7057eac370a6ecbc9769e0bbcd2c4e6630b369ad3476daa987ec20e50c234733e8b298785056bd3bb6f255e5cea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7B29.exe

Filesize
15KB

MD5
f8f793c2fb6d3f90b07e3647fdb34597

SHA1
1256f7242f71ea5cb0c26336692b2211129143e9

SHA256
62ef5f92955f590e89972bfcdd738d88fde43d64e33cfc60a4bca3e83b3b82db

SHA512
767b7d0752b5e7b412f4dd1aedceb1ae7ae34f6683b9de6cef96d8bed554062cc7df18cc6de8e4d695c9df77f39cbefb7ba969fd028c77eab78f47ff0d364079

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD05A.exe

Filesize
15KB

MD5
9391d7e39a1e5c694be7566e2f848173

SHA1
3372585b852237a2711dccae4c3ed0e04f14bb0d

SHA256
247ddc84b03ef29700cc0788184e5a6725bd00cd80f9c3aeb86bf5e6f6b008cf

SHA512
77ec01a1349a04e89abe94117f58ee875835334c159969399eeebe4878851a92d737e9995907bf2f5fe12900f5901a0fc566965dd5cd4956e32643f89a5f9541

Download Submit
\Users\Admin\AppData\Local\Temp\DEM259A.exe

Filesize
15KB

MD5
bb377eb0b2e2bd97a9f66868e6d2b1f3

SHA1
af44b9cb7990db02e92dfed980ed09247956c2f7

SHA256
4e91bef7c3b05d03987fbdf1d54206dde784d62297e9440bbdb58cd403c5823f

SHA512
7746e216a7fa93ad17d3f6db3fd112cb99bbd674175634bbec47c68d9a42b21bd0d0c1e858b9ba09cdf2186b2b528afd9da845f4eb584d4ce5f4318516425662

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25F8.exe

Filesize
15KB

MD5
79b2b114cdf9458783004ce3ae946b67

SHA1
48755bdf4c3c3438b70156225fa8d4230aa7b9c4

SHA256
9d0d889feb724bbe856b5cce84e52dc96b676a01b6a5780fa24bf2d4ffaaac81

SHA512
b8a1542fc93aaf8bdcac9aa3e34cfe86ac90247eed3724f5b976bb22672b0ab3fdb1ef6306c33901bcbd94bf1da22cdaa436a3b8652f2b8bda86e6d6bd5b8a22

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD079.exe

Filesize
15KB

MD5
2c7fea8292919cf7826a46b544a060a3

SHA1
9fd074317b640a2e5eb88fa23a4f4000c3fc926e

SHA256
4f25dfc255ad098f6c7b8a642e2ebca78c816b22190b57042a27d89985835528

SHA512
7befc00b41bd735181eaf0f863dc364b00e0e76191dc38310f162601e8d15ae948a59f1c2a4579e20a63e135cafb82a942a12b6fe1a831a2c1186073853f75e3

Download Submit

Analysis

Sharing