5c3da119c0588c870d49872a630fc4c42245cad1f82bb7b2f8d50926c3024af4

General

Target

29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
Size

16KB
MD5

7dd7190f83497758e3b7ca572c20b94b
SHA1

bb9a93567d04e2df6365ba8f9f67044ba8941644
SHA256

29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714
SHA512

9398bf3decf0a6f899ada503069e060f03df682b43f4ac56830fed8e63056253d59f94648448076857a0163739d26218dd53b5298e8a52143aa6f2cee8017ea6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8iNJ:hDXWipuE+K3/SSHgxm8iNJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2756	DEM8621.exe
2636	DEMDB42.exe
2448	DEM30B1.exe
1912	DEM8611.exe
1948	DEMDBEE.exe
588	DEM312E.exe

Loads dropped DLL 6 IoCs

pid	Process
2972	29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
2756	DEM8621.exe
2636	DEMDB42.exe
2448	DEM30B1.exe
1912	DEM8611.exe
1948	DEMDBEE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDBEE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8621.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDB42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM30B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8611.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2756	2972	29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe	32
PID 2972 wrote to memory of 2756	2972	29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe	32
PID 2972 wrote to memory of 2756	2972	29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe	32
PID 2972 wrote to memory of 2756	2972	29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe	32
PID 2756 wrote to memory of 2636	2756	DEM8621.exe	34
PID 2756 wrote to memory of 2636	2756	DEM8621.exe	34
PID 2756 wrote to memory of 2636	2756	DEM8621.exe	34
PID 2756 wrote to memory of 2636	2756	DEM8621.exe	34
PID 2636 wrote to memory of 2448	2636	DEMDB42.exe	36
PID 2636 wrote to memory of 2448	2636	DEMDB42.exe	36
PID 2636 wrote to memory of 2448	2636	DEMDB42.exe	36
PID 2636 wrote to memory of 2448	2636	DEMDB42.exe	36
PID 2448 wrote to memory of 1912	2448	DEM30B1.exe	38
PID 2448 wrote to memory of 1912	2448	DEM30B1.exe	38
PID 2448 wrote to memory of 1912	2448	DEM30B1.exe	38
PID 2448 wrote to memory of 1912	2448	DEM30B1.exe	38
PID 1912 wrote to memory of 1948	1912	DEM8611.exe	40
PID 1912 wrote to memory of 1948	1912	DEM8611.exe	40
PID 1912 wrote to memory of 1948	1912	DEM8611.exe	40
PID 1912 wrote to memory of 1948	1912	DEM8611.exe	40
PID 1948 wrote to memory of 588	1948	DEMDBEE.exe	42
PID 1948 wrote to memory of 588	1948	DEMDBEE.exe	42
PID 1948 wrote to memory of 588	1948	DEMDBEE.exe	42
PID 1948 wrote to memory of 588	1948	DEMDBEE.exe	42

C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
"C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\DEM8621.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8621.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\DEM30B1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM30B1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\DEM8611.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8611.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDBEE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\DEM312E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM312E.exe"
        7⤵
        Executes dropped EXE
        
        PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM312E.exe

Filesize
16KB

MD5
96d63b8cd74705bb799de8f2483831db

SHA1
0b3e9e045de5b9e0266bce4ef52e39cd11fc8ff1

SHA256
94c8ac898d7ef4020f2cc9f7df8380df43fa02ba2a4d33ce14ae55dc4608e06c

SHA512
e867c11b04750375624a8e040b4bb62b23f0eb663657b55ed7d691253b013c899fc8111ce733e1da87be3d0731225d3f957b10aa4b65e2fef48ee0048c72ee93

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8611.exe

Filesize
16KB

MD5
4fae22a8ccfecbcec3ec55108577a54e

SHA1
dda04bd83a805ffee961e8ff8741e6fd090cc097

SHA256
f7c686f54ef2e87f94770767cace4053bc050c61cc258a087268f269062d2b32

SHA512
2f48ecade4302caae3ef9d39ab387e71a9bdd9b963ae9330f5dda7f844805b07c72df4417ea9d29e7d610f7be475a59c1918c52b28cdcd1c9ca9bd33a534c788

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDB42.exe

Filesize
16KB

MD5
e8af483e237841356e04ab6a2eafb25b

SHA1
9604f4ce4d7b94b84039928b99737dfabb62f0f2

SHA256
a212cb3e765a306335a1ac0086192b70c08767875092c910bc68c9a628a0e20b

SHA512
bb554f0c2c86fc41496e1d993562dfa1dd65247a5eb9cec620e40576a20e1492089484898649ec5a72f62e14b6976c9f9aa3a69d1ddf26587ae1afba943dbbc3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM30B1.exe

Filesize
16KB

MD5
e1b04172c282619320530b50842bc311

SHA1
6e205e4e5b92a36b1df15bedcbd502e0125c72aa

SHA256
0bb87ddce03ab001e6a510a8ad088bde1dbe48828d401fe8338f9cd17ca4c4a1

SHA512
8e6e008e09ea594b766ae38e817a05a591219ee2c5dc0af7983a1018ebc01696b0fbe79faddd514914f8a29247b4b49b77813eed0820b0aa64cf46c9cf4004c9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8621.exe

Filesize
16KB

MD5
089cd5f9201d5c8e994e6c0d1cef5248

SHA1
032140efed2fc845fc6f13d1dc80e5381bd621cd

SHA256
e82632448ae11801fc454f55c712edb6ff8421c94ea6aef7f0e80a0caacff6f8

SHA512
901de05ecc00416f9ab2b8d9ca9ca465e9c6588155d93f83764db726054c285b105f605f51082701ce80c056999911aa7b26ab3610d3371673bf15b9ea5ac037

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDBEE.exe

Filesize
16KB

MD5
7db91464bebd461ae0af30d4f64e36d2

SHA1
1c170838be01c046783785dd59189a8349184998

SHA256
26ca0f2ec83aab33a77284ab169e20dd7d076266142ccde75cd350072083cbc9

SHA512
cd02d716fbeddbca1f12d5213c4a48e08d75cb6aeb1b4d20dc1348c83beabec52df17525ebf30162cda5b7baf0447728007bc20c84cd467e9963bbdfa96a4684

Download Submit

Analysis

Sharing