5fcfb6fde353c2ab6162b6a8bfa031406b84a931a33b050d4cea02064cf18b21

General

Target

1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
Size

15KB
MD5

7882288d4d55b9ef88e18a8e4eaae9fa
SHA1

15896423031607b8631e0ae77f02766cc8741577
SHA256

1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b
SHA512

0e4ef0e0a03ea741f52f549a6b329017df12c7bcde5de41af3dad8a2d71edf50dfd65b7e154d7598c618e83027471d8787ce89126fa1cd51642bc91f53390b34
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnwCgr:hDXWipuE+K3/SSHgx/wCU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2576	DEME4A4.exe
2440	DEM39E5.exe
2520	DEM8F83.exe
944	DEME659.exe
1648	DEM3C07.exe
2864	DEM9212.exe

Loads dropped DLL 6 IoCs

pid	Process
2284	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
2576	DEME4A4.exe
2440	DEM39E5.exe
2520	DEM8F83.exe
944	DEME659.exe
1648	DEM3C07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME4A4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM39E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8F83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME659.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C07.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2576	2284	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	31
PID 2284 wrote to memory of 2576	2284	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	31
PID 2284 wrote to memory of 2576	2284	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	31
PID 2284 wrote to memory of 2576	2284	1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe	31
PID 2576 wrote to memory of 2440	2576	DEME4A4.exe	33
PID 2576 wrote to memory of 2440	2576	DEME4A4.exe	33
PID 2576 wrote to memory of 2440	2576	DEME4A4.exe	33
PID 2576 wrote to memory of 2440	2576	DEME4A4.exe	33
PID 2440 wrote to memory of 2520	2440	DEM39E5.exe	35
PID 2440 wrote to memory of 2520	2440	DEM39E5.exe	35
PID 2440 wrote to memory of 2520	2440	DEM39E5.exe	35
PID 2440 wrote to memory of 2520	2440	DEM39E5.exe	35
PID 2520 wrote to memory of 944	2520	DEM8F83.exe	37
PID 2520 wrote to memory of 944	2520	DEM8F83.exe	37
PID 2520 wrote to memory of 944	2520	DEM8F83.exe	37
PID 2520 wrote to memory of 944	2520	DEM8F83.exe	37
PID 944 wrote to memory of 1648	944	DEME659.exe	39
PID 944 wrote to memory of 1648	944	DEME659.exe	39
PID 944 wrote to memory of 1648	944	DEME659.exe	39
PID 944 wrote to memory of 1648	944	DEME659.exe	39
PID 1648 wrote to memory of 2864	1648	DEM3C07.exe	41
PID 1648 wrote to memory of 2864	1648	DEM3C07.exe	41
PID 1648 wrote to memory of 2864	1648	DEM3C07.exe	41
PID 1648 wrote to memory of 2864	1648	DEM3C07.exe	41

C:\Users\Admin\AppData\Local\Temp\1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe
"C:\Users\Admin\AppData\Local\Temp\1e82a1ab1f4053a3088c9daf615cacecac453333f167feee0dbc1e0bfb86559b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME4A4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DEM39E5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM39E5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\DEM8F83.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8F83.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\DEME659.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME659.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\DEM3C07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C07.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\DEM9212.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9212.exe"
        7⤵
        Executes dropped EXE
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM39E5.exe

Filesize
15KB

MD5
2ab1079e737f61805e9e9d232500d39a

SHA1
0bf324f4ad3b1179f5918737428599d007031738

SHA256
d1abe51911f8273c7d7c12cda9ef30fceeda8068b0568fe1e6dfdd4af1981bd0

SHA512
ac2f3ab95f2d0109cdfcb1cb4e4a92d8eef61d33477a37e40e30903fd0169b8b51e365f90bf80984eac8fa0b29166eab2b1847f20cf9449e9ea3183621230034

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3C07.exe

Filesize
15KB

MD5
336f5720c30e8cb0d6b97ebadd8c5d5c

SHA1
6a69ff48620f8eadbdd1942da8f3586499681eee

SHA256
b7c44119b8e39dd3f6eaffbf57924c5a34a220b247f2463e38c6cc45314cb5b5

SHA512
a103ebf2e5d6a3cd0d43b93fcc13ae9106cec1f0d41a08c3294b205f8e740c8a1bbc60ada793014d9e5222c184b91331e503d7c4027c593b45f0f7a4da2c5c84

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8F83.exe

Filesize
15KB

MD5
fccd6e10fc62421ff3bef93873a76ddd

SHA1
35d5fb19720e3633660ee107fcd28ab96ff569c1

SHA256
628ca72f45994930d1d0d5b9e8dfdbb0d150738799262e9168a574cd8eaf6f33

SHA512
69065faac7b18328070803e097e07c41742fded00a2fc223609973691931d062fcf2a34b32c545c503f123a513ca9179b891b019cdb1d65b96e9c48253f43457

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9212.exe

Filesize
15KB

MD5
3c833e537580460b451b4f5dcb9bab48

SHA1
cd6b033ca7b160b0e53ac629703d2db5d82c7620

SHA256
8ffdd9a9e50e80357d8ffd5451eaced02dba281a98b1669168e498f1af3c6144

SHA512
f5e2b531d10cb22c89073374613e8c44cc1d21765a95260e6ef163a6d37cef40976958feace2a18218cb6a68215d121b82f810ee026b96d8bf069a4e6ff78d49

Download Submit
\Users\Admin\AppData\Local\Temp\DEME4A4.exe

Filesize
15KB

MD5
216eb2f86b6c5da240736bc6198cd775

SHA1
8f16a000b8656d15a6526e394fea11b36abcfbc5

SHA256
00a974a9e45ff7dab45aebf7ae059213497e07f52853088b3da7e2e7613d5df9

SHA512
144bf2052c6f6e905d996efd213f9d8a4f611d0814f913f420da4b4f7c7e21b3845b7ff2cedaefe4c6b0a8fc40ca9c8af143a1d8522f7414ef613c478fbd77a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEME659.exe

Filesize
15KB

MD5
f93edebae586297bf9c9bd331405c86f

SHA1
c6c80d0f18e3c2d267fdc99859855173984df21b

SHA256
76985403a5697b0febb6193e9c91ebe40d3bdc3bafe4653547090aded18967e1

SHA512
e9a053ceacec23eed1b4081ba9dac42b9f46f861e40c37182ec907996631b56648a4bc2a94dc7da43e15af3590c5d2fe6397159c336ee73c86b34889ecc531f8

Download Submit

Analysis

Sharing