3bdc1fce83d49a1be11ff043b55066b4290da043f2b637df80da90b6adc8bcef

General

Target

8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
Size

16KB
MD5

7d2def95f853a3231c82ff4a024441ad
SHA1

842ae1745cacae836e52ceba38e95153d75f6608
SHA256

8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9
SHA512

7855865aad9c641fe415a975c605853d39f652d238a62174ced7601462a76e180553806d1ec1835eae90bf72b1a39a659cbc67e7893f133fcd2e9a6f955e75c6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlK:hDXWipuE+K3/SSHgxmlK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2216	DEM47D9.exe
2752	DEM9DA6.exe
2664	DEMF325.exe
2164	DEM48B4.exe
2552	DEM9E04.exe
1260	DEMF335.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
2216	DEM47D9.exe
2752	DEM9DA6.exe
2664	DEMF325.exe
2164	DEM48B4.exe
2552	DEM9E04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM47D9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9DA6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF325.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM48B4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9E04.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2216	1968	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	30
PID 1968 wrote to memory of 2216	1968	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	30
PID 1968 wrote to memory of 2216	1968	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	30
PID 1968 wrote to memory of 2216	1968	8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe	30
PID 2216 wrote to memory of 2752	2216	DEM47D9.exe	32
PID 2216 wrote to memory of 2752	2216	DEM47D9.exe	32
PID 2216 wrote to memory of 2752	2216	DEM47D9.exe	32
PID 2216 wrote to memory of 2752	2216	DEM47D9.exe	32
PID 2752 wrote to memory of 2664	2752	DEM9DA6.exe	34
PID 2752 wrote to memory of 2664	2752	DEM9DA6.exe	34
PID 2752 wrote to memory of 2664	2752	DEM9DA6.exe	34
PID 2752 wrote to memory of 2664	2752	DEM9DA6.exe	34
PID 2664 wrote to memory of 2164	2664	DEMF325.exe	36
PID 2664 wrote to memory of 2164	2664	DEMF325.exe	36
PID 2664 wrote to memory of 2164	2664	DEMF325.exe	36
PID 2664 wrote to memory of 2164	2664	DEMF325.exe	36
PID 2164 wrote to memory of 2552	2164	DEM48B4.exe	38
PID 2164 wrote to memory of 2552	2164	DEM48B4.exe	38
PID 2164 wrote to memory of 2552	2164	DEM48B4.exe	38
PID 2164 wrote to memory of 2552	2164	DEM48B4.exe	38
PID 2552 wrote to memory of 1260	2552	DEM9E04.exe	40
PID 2552 wrote to memory of 1260	2552	DEM9E04.exe	40
PID 2552 wrote to memory of 1260	2552	DEM9E04.exe	40
PID 2552 wrote to memory of 1260	2552	DEM9E04.exe	40

C:\Users\Admin\AppData\Local\Temp\8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe
"C:\Users\Admin\AppData\Local\Temp\8a1291f9ba0cadc2df8e1e4063ef5341d527cf2babeb17486f53c80d6c4a30d9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\DEM9DA6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9DA6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\DEMF325.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF325.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\DEM48B4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM48B4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\DEM9E04.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9E04.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\DEMF335.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF335.exe"
        7⤵
        Executes dropped EXE
        
        PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe

Filesize
16KB

MD5
04c562ded71fc4411aa626511e4ecd47

SHA1
e07a699e73b2b02a2f4cf3250d5a70b57bdc5a48

SHA256
5f1132c7c281262dc7a5dd16a37a750975b6451e1f6554c4cdc88e47b3225dc7

SHA512
b924ea676df493e74e1ce14670a7c34efd0891f317cdcfb8022747217cd6942f06a301455933eea5cb6fd3bdae7192bc4aebe55a2b02fe27af86ab73e5ac3f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM48B4.exe

Filesize
16KB

MD5
7e00d3df21590e523113160bffe73895

SHA1
784753de71486c7345bbc3447cc9a6948174d72d

SHA256
05bc461df97ba169482cb0ce7f5b0290866c212b8fd444592ae0e6c2d73eaa74

SHA512
d7d1afd1a3f6acf998875ab87f6943b60ad7885166d3ac6fbbeb76b5be61a5971147066230f911d0096b2d93563e23043b6e2640c61906886c6d91f010305f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9DA6.exe

Filesize
16KB

MD5
0e1602bd1c20b167b212d775c2ebebec

SHA1
76d1a06546012eb0cd2e1fc8689407cca14b7206

SHA256
656d2290ea816022c74f721b1cff6a67334c91d84ff2590126f6b755ef0ea6ea

SHA512
625facaf7f50933b393ad44f9845e29115f3d46a44c094f6fc1e7a74bf2ed4f3b09e252a263942b6384a19578d4884227391dc3e649f597dcd6ae1656a2166c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9E04.exe

Filesize
16KB

MD5
eceba7eb647642cd54254664c1109608

SHA1
c8bf715880ad722ea07f470248eed3bc4d2318bd

SHA256
f75058969a3488c424cbeca196d1c83fbfee21c883faffb043abf3dad8dd8355

SHA512
c7e4a326b4e3516ba84633d0b6eb35c00ee4628804608b8ef88e07f1a4f24137dc35f28d40b2ab95f975153114b12b9827beb5854d0a3fce1902ee1814803774

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF325.exe

Filesize
16KB

MD5
7c5c856a7425d58d272a220f482df99a

SHA1
999dc5e9ac1eb1dca65ad1eee31af259e1abeed0

SHA256
36198c2689c8ef1a8658610496ac765d6816ce92f34a39e3662e675dbd69fe23

SHA512
3d7e44012c116d35e9732f75d806f723004dcac9578c9625bd1597d1dd0e33d70eeed4177d095c19f7cbf9bf6c9a46bf26623ec2e6f1a442baa2cea1ac6bcb0f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF335.exe

Filesize
16KB

MD5
e99418d649daff30211d354d6b20c89c

SHA1
d261316510fbdb9cefab32b1ced1694243b58aa1

SHA256
ec329bfdf82141cb82705fe2da2de47498672354b8438ea71b1af6dc7954f5ac

SHA512
c3fa5a5860ee3ab191f78fedf14e7fe96b9bf9e9b8e80a7bb652219e81651024b9548ed1dc35086993a7da28fb76eeb853f03ebe4837b2f5f606abd3954c8859

Download Submit

Analysis

Sharing