b1a142d7b164528eedaf21ce7a867b713b72c2ed6c2147bbbe37bbe209ec2fcd

General

Target

a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
Size

15KB
MD5

a32f79193610e3b9d191a3b777e67354
SHA1

e28835a34ece1c61628561057e02de1905ef011c
SHA256

a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d
SHA512

31dc2494ce5127674f7e8ad475e021eaf388565da116f3b4834807592fc59c386daa821bb091bcf40b5596a06a2876a4c0632980a1a940480eac25d33f80df19
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/vP:hDXWipuE+K3/SSHgx//vP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2600	DEME734.exe
2608	DEM3C55.exe
2168	DEM91B5.exe
1548	DEME782.exe
320	DEM3CA3.exe
3060	DEM91C4.exe

Loads dropped DLL 6 IoCs

pid	Process
2136	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
2600	DEME734.exe
2608	DEM3C55.exe
2168	DEM91B5.exe
1548	DEME782.exe
320	DEM3CA3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME734.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3C55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM91B5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME782.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3CA3.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2600	2136	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	32
PID 2136 wrote to memory of 2600	2136	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	32
PID 2136 wrote to memory of 2600	2136	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	32
PID 2136 wrote to memory of 2600	2136	a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe	32
PID 2600 wrote to memory of 2608	2600	DEME734.exe	34
PID 2600 wrote to memory of 2608	2600	DEME734.exe	34
PID 2600 wrote to memory of 2608	2600	DEME734.exe	34
PID 2600 wrote to memory of 2608	2600	DEME734.exe	34
PID 2608 wrote to memory of 2168	2608	DEM3C55.exe	36
PID 2608 wrote to memory of 2168	2608	DEM3C55.exe	36
PID 2608 wrote to memory of 2168	2608	DEM3C55.exe	36
PID 2608 wrote to memory of 2168	2608	DEM3C55.exe	36
PID 2168 wrote to memory of 1548	2168	DEM91B5.exe	38
PID 2168 wrote to memory of 1548	2168	DEM91B5.exe	38
PID 2168 wrote to memory of 1548	2168	DEM91B5.exe	38
PID 2168 wrote to memory of 1548	2168	DEM91B5.exe	38
PID 1548 wrote to memory of 320	1548	DEME782.exe	40
PID 1548 wrote to memory of 320	1548	DEME782.exe	40
PID 1548 wrote to memory of 320	1548	DEME782.exe	40
PID 1548 wrote to memory of 320	1548	DEME782.exe	40
PID 320 wrote to memory of 3060	320	DEM3CA3.exe	42
PID 320 wrote to memory of 3060	320	DEM3CA3.exe	42
PID 320 wrote to memory of 3060	320	DEM3CA3.exe	42
PID 320 wrote to memory of 3060	320	DEM3CA3.exe	42

C:\Users\Admin\AppData\Local\Temp\a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe
"C:\Users\Admin\AppData\Local\Temp\a15c38d693e263955237ce5e678b121be0d700f5c292e0dfd4afd5fa7877c17d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\DEME734.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME734.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\DEM3C55.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3C55.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\DEME782.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME782.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\DEM3CA3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3CA3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\DEM91C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM91C4.exe"
        7⤵
        Executes dropped EXE
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3C55.exe

Filesize
15KB

MD5
a7df477275513c5ca5fdd37df76e588d

SHA1
ad4d26e5a4bcb4ef6130f3c29abe907be9429e38

SHA256
df564adff7b858dde64158f96021f0eaa04c9df967afb793a675712997a7c7e8

SHA512
f62144d1b2f1189c6599fccfad76f2ea2464e4c65dca755339b69be2f6a2cf6492138aa3024a8fb5b1db217a8ea1d145d5f122fbddb65f37a52a361437ebbadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3CA3.exe

Filesize
15KB

MD5
a5b8792b545755d61bb746525b008a8c

SHA1
549442c91547acf9e257cb3b5a9b2c70b0102c4b

SHA256
46160d60232d380c82e80957cd0b542ab462d78cdf6e38f58a84d80ac0ee1402

SHA512
095af827350401464546406fa99430063f977fc3cfb85bb020de33c1193f977e5f5e3e6a042324a1ab1e423e4499a73ea8172106e7f8856409318dd9146a031e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM91B5.exe

Filesize
15KB

MD5
df14fe4ee31a1d3c8ec2b8967e3ff145

SHA1
04f18cc552482b82924375f38a0c671b68bec195

SHA256
d051bcdee0dc30b9778cb54485f4cd1fde450d641b839976d99bd8b5fd9e095a

SHA512
39612bfe1a0e9382af797e64c12abed637e1b36025482ad4b6c45c081f09bdd5279242580da634a4b4c7a84a19b2d49c02bbc7d679506d621e0837b9ac7cc177

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME734.exe

Filesize
15KB

MD5
c6ffc32a1ee9ef4300ce20830e67c860

SHA1
ea493fef7b6234760d0790cb782dec5b6cfb22ce

SHA256
511dcda63702ba887a84a2e8b33112bf78d4a1d4b81b579fcc9d90b888523070

SHA512
20237a0f14420b40f19603fd5d5c0d6fdd49d499879bb9ab5f39fc0dd92c1e53dca2c481554448a0ef4708af3d05af82834f4fd461941ab17d0dde2827ca739e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM91C4.exe

Filesize
16KB

MD5
8ea9f7dd14fcac8b1e3fa8336ce23b4f

SHA1
ec2f24199c9648ae15f9383efbe62976156b8ffa

SHA256
5436fde1cd97beb07eb96c982a977b1890b4317fdd622337c3695c3a604b6d18

SHA512
f8c3d47dcb4808228ea3dc14019655205587d9408cdd771e3821238247758c9dbb81039b18d23fca4928a59a79312288cfc033aadbcc20eeedeaa79d7160d95e

Download Submit
\Users\Admin\AppData\Local\Temp\DEME782.exe

Filesize
15KB

MD5
674e7a5f6ae348b27c953c7e03931091

SHA1
2ab7f5bd60dd785a991f7edba98f9f28e3d8676e

SHA256
041feb4298d500727ba0187bd81b95857d4e9ad2395b5c1d3f51ad1938c812ec

SHA512
7cf6dbecbeacdabc4af6907ce15c05a7a541c494dc8cf5fee3090a863ddcf4f2ff3665b3b52c50ada51be8d799704f9f100500fc252deaddb9ba0a515481085c

Download Submit

Analysis

Sharing