61e3ddd38d6b6f9e6415589e268d2f8218f89e4814589e38ab776bc5492c8af4

General

Target

daef9ce0d9d1d1e65bb642e8612816c0N.exe
Size

15KB
MD5

daef9ce0d9d1d1e65bb642e8612816c0
SHA1

a965ed4e91d531dbd9914e83d12209ed3a0ce002
SHA256

61e3ddd38d6b6f9e6415589e268d2f8218f89e4814589e38ab776bc5492c8af4
SHA512

eb554a7e73f67c94e5d51820813baea7c8c24850de533f75541279df88e3df88f7732e7a304e884e16d26e93478962cb2ad70967433efabbb19b3626779465a4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYls:hDXWipuE+K3/SSHgxmls

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1704	DEMF00A.exe
2916	DEM45A8.exe
756	DEM9AD9.exe
2584	DEMF038.exe
2928	DEM454A.exe

Loads dropped DLL 5 IoCs

pid	Process
676	daef9ce0d9d1d1e65bb642e8612816c0N.exe
1704	DEMF00A.exe
2916	DEM45A8.exe
756	DEM9AD9.exe
2584	DEMF038.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daef9ce0d9d1d1e65bb642e8612816c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF00A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9AD9.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1704	676	daef9ce0d9d1d1e65bb642e8612816c0N.exe	31
PID 676 wrote to memory of 1704	676	daef9ce0d9d1d1e65bb642e8612816c0N.exe	31
PID 676 wrote to memory of 1704	676	daef9ce0d9d1d1e65bb642e8612816c0N.exe	31
PID 676 wrote to memory of 1704	676	daef9ce0d9d1d1e65bb642e8612816c0N.exe	31
PID 1704 wrote to memory of 2916	1704	DEMF00A.exe	33
PID 1704 wrote to memory of 2916	1704	DEMF00A.exe	33
PID 1704 wrote to memory of 2916	1704	DEMF00A.exe	33
PID 1704 wrote to memory of 2916	1704	DEMF00A.exe	33
PID 2916 wrote to memory of 756	2916	DEM45A8.exe	35
PID 2916 wrote to memory of 756	2916	DEM45A8.exe	35
PID 2916 wrote to memory of 756	2916	DEM45A8.exe	35
PID 2916 wrote to memory of 756	2916	DEM45A8.exe	35
PID 756 wrote to memory of 2584	756	DEM9AD9.exe	37
PID 756 wrote to memory of 2584	756	DEM9AD9.exe	37
PID 756 wrote to memory of 2584	756	DEM9AD9.exe	37
PID 756 wrote to memory of 2584	756	DEM9AD9.exe	37
PID 2584 wrote to memory of 2928	2584	DEMF038.exe	39
PID 2584 wrote to memory of 2928	2584	DEMF038.exe	39
PID 2584 wrote to memory of 2928	2584	DEMF038.exe	39
PID 2584 wrote to memory of 2928	2584	DEMF038.exe	39

C:\Users\Admin\AppData\Local\Temp\daef9ce0d9d1d1e65bb642e8612816c0N.exe
"C:\Users\Admin\AppData\Local\Temp\daef9ce0d9d1d1e65bb642e8612816c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\DEMF00A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF00A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Users\Admin\AppData\Local\Temp\DEMF038.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF038.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\DEM454A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM454A.exe"
        6⤵
        Executes dropped EXE
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM45A8.exe

Filesize
15KB

MD5
6e10ab5ffbfedc4ad41933af436c2641

SHA1
76eeb4300099a85acac54a024e7883ed62da6b57

SHA256
bdec063b4d35916f5eda1470b6d4fdda564249efad846dd59bbfe8804e33a456

SHA512
459cf5cbd137002ab15315dedd90761ed03451bfe9d85b4a0a786c2118f28e9f8a4ea02310fe301f6342b99174d413a3d8873071e9064397d1e6f177459f7b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9AD9.exe

Filesize
15KB

MD5
9c2e29e54bed5af2c2b7248dfdde72e5

SHA1
4b3e05d57f6873ae27f9ac7e31993d607c3d6911

SHA256
130b2522f36181790f8088755d976452d8428db81c0f8c87333b27285adcb11f

SHA512
d112af04aef123e8946db8832de95f065c753d87c7e10979490cfe1bec21cf7c373751f8e7f7af47bd613bdc3318229278a8d039f9dbd0fcfbb1c04f51d9b7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF038.exe

Filesize
15KB

MD5
7aef49ac9fddb07ac69886d55eb5fb99

SHA1
919118ef01cdafdb768bd8d2af5e16c33247436d

SHA256
f29dbc6c0b780cd952c876e520311e4780f2abb3e45be81984d0118389fd568c

SHA512
6214699643c9a53424fb7d09a086186a83afbec59944542e78afe7135685cd816135136cee58cb409c6eb1305491bd778fc3b7164898bf898e95c3f67775fab2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM454A.exe

Filesize
15KB

MD5
9c556e8329556feda4474ce0de06daf7

SHA1
0072e0ea11551e3e1da20589d17afffd46ebcc8b

SHA256
1f94321a84210e4c472cdc8a9cc41b458ecf64f94f7d5bfdb1e9f0426b9a1e2f

SHA512
3bc52dbbbe456fec0ce0e36c4766b2feb28aa88892c4f13d60885b8075b6bf87aa068f6ca10fdd9dd31026e054942de1ff8e2be79c318fc30b5940f24423a5b2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF00A.exe

Filesize
15KB

MD5
3474f4b211297c3be829fb624d35609c

SHA1
f28759921616a6271e843fcdb9c12a5e5d6e630a

SHA256
6c17238cf0cbeb48a4f69e18dda57890929303d160db6b631e5f653dc4b1dadd

SHA512
91347d9a17e52b400e99b63e14cc6abb54c06355c962c360d38305be81a91cdd10aef6c93c55cbf6ff0b380f6662c88246f92351da65dfcb6987d1ecc0b62fbb

Download Submit

Analysis

Sharing