19c1f00769529d9f9f35d7d97b5b7134301e37aafdb4f4ae8e976131b8ceb088

General

Target

6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe
Size

16KB
MD5

3e0bcc9c38930e36788ea27389ef1444
SHA1

376476ca2d4ced8ab1b042edcad88854adfd83eb
SHA256

6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e
SHA512

9bb6a85ea0176e0ed78425e491dc2b56c64a5262bfc9fb800429698836ee3e1643edb4e102018f7014ce61db08882df1d0e7a2ed6be93f21c592411257fe1823
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlgB:hDXWipuE+K3/SSHgxmlC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2316	DEM8CF4.exe
2656	DEME215.exe
2204	DEM37A4.exe
1600	DEM8D42.exe
2448	DEME2B1.exe
576	DEM3801.exe

Loads dropped DLL 6 IoCs

pid	Process
2584	6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe
2316	DEM8CF4.exe
2656	DEME215.exe
2204	DEM37A4.exe
1600	DEM8D42.exe
2448	DEME2B1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8CF4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM37A4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8D42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2316	2584	6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe	32
PID 2584 wrote to memory of 2316	2584	6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe	32
PID 2584 wrote to memory of 2316	2584	6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe	32
PID 2584 wrote to memory of 2316	2584	6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe	32
PID 2316 wrote to memory of 2656	2316	DEM8CF4.exe	34
PID 2316 wrote to memory of 2656	2316	DEM8CF4.exe	34
PID 2316 wrote to memory of 2656	2316	DEM8CF4.exe	34
PID 2316 wrote to memory of 2656	2316	DEM8CF4.exe	34
PID 2656 wrote to memory of 2204	2656	DEME215.exe	36
PID 2656 wrote to memory of 2204	2656	DEME215.exe	36
PID 2656 wrote to memory of 2204	2656	DEME215.exe	36
PID 2656 wrote to memory of 2204	2656	DEME215.exe	36
PID 2204 wrote to memory of 1600	2204	DEM37A4.exe	38
PID 2204 wrote to memory of 1600	2204	DEM37A4.exe	38
PID 2204 wrote to memory of 1600	2204	DEM37A4.exe	38
PID 2204 wrote to memory of 1600	2204	DEM37A4.exe	38
PID 1600 wrote to memory of 2448	1600	DEM8D42.exe	40
PID 1600 wrote to memory of 2448	1600	DEM8D42.exe	40
PID 1600 wrote to memory of 2448	1600	DEM8D42.exe	40
PID 1600 wrote to memory of 2448	1600	DEM8D42.exe	40
PID 2448 wrote to memory of 576	2448	DEME2B1.exe	42
PID 2448 wrote to memory of 576	2448	DEME2B1.exe	42
PID 2448 wrote to memory of 576	2448	DEME2B1.exe	42
PID 2448 wrote to memory of 576	2448	DEME2B1.exe	42

C:\Users\Admin\AppData\Local\Temp\6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe
"C:\Users\Admin\AppData\Local\Temp\6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\DEME215.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME215.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\DEM37A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM37A4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\DEM8D42.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8D42.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\DEME2B1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME2B1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\DEM3801.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3801.exe"
        7⤵
        Executes dropped EXE
        
        PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe

Filesize
16KB

MD5
0ce3759f44691828ad9bb30f3d736054

SHA1
e441647a65df442fbec58dfb13ae2cfc223ecf8b

SHA256
9af003a94a201dae7675a5595697ce52c1578853e1ab12dc952e2fae28a82001

SHA512
26876a7b3916c1a057c18414fed91d04e5edffd159069d6584cd0791ce1278c9aed91cfd0b793db8f7455ad3bf597050945a6e4020911065d21bbb0664a2209a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME215.exe

Filesize
16KB

MD5
3ec3c5aabfe40955ceb4466013ab95d4

SHA1
054b6b054901bb4fc755894f282f0cd839fcc27a

SHA256
c8df9f1f93cd397165a290f2b690c37497d3657158f68f7c19beadbc61ca2bbb

SHA512
2d8c93886c7c2b0b8fd31d6cf0a3318c9e2f9889623bc96686a0b5acd723600a1a5e5880037f06febe901beb9eb242ee9a0911acdb900c67696679f1ed339b08

Download Submit
\Users\Admin\AppData\Local\Temp\DEM37A4.exe

Filesize
16KB

MD5
d05611301b32fb1b36a49c3f05f262aa

SHA1
79c7f21f8e8e21f6c06b07359579c9b4640104be

SHA256
8450b965cc6f9b37c7b7924bf072604120ac073aa745c6a8b09811645a25d22b

SHA512
f8b97d5441482209a25e39e5fdc1510ad7baf0aa59559a11f87379bed992db6bf7b2f45e39945dbfa0222991aa389bcd1348685909b11235f4282ad4a5a218f7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3801.exe

Filesize
16KB

MD5
b58898cde6345ce7a8418409023363e8

SHA1
368c8ffe65744ce3468c3e4f5e773946785e43f3

SHA256
f9553d786787b9e04151b23923814f12f3a4e0028f2232adab43d9cad39835e4

SHA512
28dc515dc7b7baee599a69eecb353a4edc11a4c7ffbe1eeac5542b1eb9e006627275650a773199f4746399cfc08a9820d54c976e4c13970acf2c227be28c4378

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8D42.exe

Filesize
16KB

MD5
025bd9616f26d0ce73292ad123ad18f6

SHA1
84a6d139f607282ae1b1ac8a02c6c5ad0c4c60cb

SHA256
74b419ab29616f027df0b71f3b48a6b709c86b42ce29c31fa91f99b981866aea

SHA512
fb7e55076f42da61928b0ea12c2121296b9687d28f374d34adfed3edab9bffe39c320ac7f15b457febcd9e9cc16771940a75c60f316d9f45de20b3124ec3132c

Download Submit
\Users\Admin\AppData\Local\Temp\DEME2B1.exe

Filesize
16KB

MD5
4adce2c69cf72aea2e3910ff0ddc1a5a

SHA1
08231c4d361cdff5906e31b60e4cf4651439d4f1

SHA256
36b9be41a7763cdd5321ad9f01bc5716ff8bb589af1e88f59665a667b52a9653

SHA512
cb6014ce99b4809dba9937a5d5b3846d56191526dcbcf24efd7bf6e22bb5a058d2eae7d06feb92a18109e08aea65648521d6be802515ba6a1b5cdfc9a7c0598f

Download Submit

Analysis

Sharing