59acebb25b4bce56b543ea09fa37e086078d1b06732e75ac22e96cfabf4fd4a8

General

Target

c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe
Size

14KB
MD5

916d4798cea5abdb517c3b2626c2548b
SHA1

379d8f375af374b6802fb97f4b89f6cc25724acb
SHA256

c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a
SHA512

624206f4cd40405827c4baff881132bd9f3b99849916b15987a447d970adf154c1fc8f563753acbd1543d7bb7f0033bb1067f0f0ba6308d66dd7b77faa39dc5e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0J0N:hDXWipuE+K3/SSHgx4CN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2772	DEM898A.exe
2988	DEMDF28.exe
2836	DEM34A7.exe
2976	DEM8AD2.exe
1848	DEMDFE4.exe
1652	DEM3553.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe
2772	DEM898A.exe
2988	DEMDF28.exe
2836	DEM34A7.exe
2976	DEM8AD2.exe
1848	DEMDFE4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM898A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDF28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8AD2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDFE4.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2772	2504	c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe	32
PID 2504 wrote to memory of 2772	2504	c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe	32
PID 2504 wrote to memory of 2772	2504	c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe	32
PID 2504 wrote to memory of 2772	2504	c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe	32
PID 2772 wrote to memory of 2988	2772	DEM898A.exe	34
PID 2772 wrote to memory of 2988	2772	DEM898A.exe	34
PID 2772 wrote to memory of 2988	2772	DEM898A.exe	34
PID 2772 wrote to memory of 2988	2772	DEM898A.exe	34
PID 2988 wrote to memory of 2836	2988	DEMDF28.exe	36
PID 2988 wrote to memory of 2836	2988	DEMDF28.exe	36
PID 2988 wrote to memory of 2836	2988	DEMDF28.exe	36
PID 2988 wrote to memory of 2836	2988	DEMDF28.exe	36
PID 2836 wrote to memory of 2976	2836	DEM34A7.exe	38
PID 2836 wrote to memory of 2976	2836	DEM34A7.exe	38
PID 2836 wrote to memory of 2976	2836	DEM34A7.exe	38
PID 2836 wrote to memory of 2976	2836	DEM34A7.exe	38
PID 2976 wrote to memory of 1848	2976	DEM8AD2.exe	40
PID 2976 wrote to memory of 1848	2976	DEM8AD2.exe	40
PID 2976 wrote to memory of 1848	2976	DEM8AD2.exe	40
PID 2976 wrote to memory of 1848	2976	DEM8AD2.exe	40
PID 1848 wrote to memory of 1652	1848	DEMDFE4.exe	42
PID 1848 wrote to memory of 1652	1848	DEMDFE4.exe	42
PID 1848 wrote to memory of 1652	1848	DEMDFE4.exe	42
PID 1848 wrote to memory of 1652	1848	DEMDFE4.exe	42

C:\Users\Admin\AppData\Local\Temp\c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe
"C:\Users\Admin\AppData\Local\Temp\c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\DEM898A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM898A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\DEMDF28.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDF28.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\DEM34A7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM34A7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\DEM8AD2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8AD2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\DEMDFE4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDFE4.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\DEM3553.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3553.exe"
        7⤵
        Executes dropped EXE
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMDF28.exe

Filesize
14KB

MD5
5a92f693aed15f1d5e00298edb5a0b59

SHA1
d16e186d5d82c579b18535456642dc1bcfe27d48

SHA256
0a3e286d6f0464094d0af232cbd4dfa8609d8c9e7e3c05b83008ec4d6171756c

SHA512
415a676ac7ccf75071ae116b9ae97bf660eba33a41b958d51267e6e3c4f8143dbb5af75b04ad8130bdb5cd52038c1480ad157bbdcfafeb331f2c08b2edfcf264

Download Submit
\Users\Admin\AppData\Local\Temp\DEM34A7.exe

Filesize
14KB

MD5
16b289fd72f43eb9fad280c297257eee

SHA1
cd2f910f26001563faf55609eb61ccd49c5b6a5b

SHA256
911a2a900efcc89c497da55cb4829e28d8de194ed8f6f121be8d23d85755970e

SHA512
f104e3a693c43211bc799c9eb286cdae89cd56d5ddd5d683ae9f9241744bd5e26944b04f1b761c087b94ad60cde08be728435ae4fa0c75d4be650ae5c1ebd852

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3553.exe

Filesize
14KB

MD5
9d6d372e09ab2c1d336d812b12fe7d2b

SHA1
82688211116fb95b0754a1bcd478fb14bef0a28b

SHA256
0bff0ea560d0401c7b1b75bba38e7ea57636f833814cc2d460d9abd2e0447759

SHA512
f1540e67fae1cf13fb5b94ae1a1adff1462a3baa420929f78b42316a649fbd685c17e8af5f3414a0b7c6186e44eee2ebb3d9e6a438e5ceef6ffcc1dc0c53f9ff

Download Submit
\Users\Admin\AppData\Local\Temp\DEM898A.exe

Filesize
14KB

MD5
97c33a2f13ad15b70cacf35ac8328428

SHA1
563839bb05388bdb5c09856c0bb2d5217198a84c

SHA256
ccc14c0dfdb142aacecaf1ff460aad922211ecdf0cc04d7d373e574410413694

SHA512
34b759a081285fb68071a53482de0fa9fd744304376ae6dbaf9604bacf3a723c8f1dc321fe0501d0afa4fb2c1d1bd754c59cc38b8a34d147c9ccfbd4754d48bb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8AD2.exe

Filesize
14KB

MD5
5309abaa7ec33a42121a1ba62be58c4d

SHA1
98a1f086eeefcab66cf61428ba54a72f90175143

SHA256
ac4b796ac7abded5258babc2989f2b7933f129635aea79ae4dfc713d788c25e1

SHA512
84c456753fa829c6edc461ef40473dac8909cde30e835b436b0ee6d0f1fd5e699ef07e4c40ea84d605895ae531051e9c73012589be4ceec15b1e69f9f7f2c504

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDFE4.exe

Filesize
14KB

MD5
a9082509f99fad939e006b7479670aed

SHA1
80e5c4334f4991ffc924e740f0f94f6fbfe222a4

SHA256
4976483ded3de7a05ee1009e735be0cecc8305736ae1d26b4ca2d44013e4d944

SHA512
9cb6bd9d5d807f2bd6674759d81c683a8572d9cfdd33fe5d5bf557aef2ed9c6f5efe0f374405f86ebaf247bd06492adf0dda21af1ac3775582efb6d84c836885

Download Submit

Analysis

Sharing