d50e0eebc6730a5087ae5a52b50025840a46e99a65e320080d9bd378d569c93b

General

Target

d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe
Size

20KB
MD5

8bddfa1f45050158e4cb739c1af728f5
SHA1

ab3dc75a23a5f66b5755da3a5c9c10b9c76311a2
SHA256

d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814
SHA512

105182af46f925f10faff2e8e633bc905df2960130187a098b248426dbb5e7d239a9ca98ade390cfde22b36a724e37f7716f9158ca0239a148269fe1559fe44e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4r:hDXWipuE+K3/SSHgxmHZr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2772	DEMDE6D.exe
2608	DEM3459.exe
1412	DEM899A.exe
1076	DEMDE9C.exe
2896	DEM34A7.exe
1796	DEM89B9.exe

Loads dropped DLL 6 IoCs

pid	Process
1976	d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe
2772	DEMDE6D.exe
2608	DEM3459.exe
1412	DEM899A.exe
1076	DEMDE9C.exe
2896	DEM34A7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM899A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE9C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE6D.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2772	1976	d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe	31
PID 1976 wrote to memory of 2772	1976	d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe	31
PID 1976 wrote to memory of 2772	1976	d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe	31
PID 1976 wrote to memory of 2772	1976	d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe	31
PID 2772 wrote to memory of 2608	2772	DEMDE6D.exe	33
PID 2772 wrote to memory of 2608	2772	DEMDE6D.exe	33
PID 2772 wrote to memory of 2608	2772	DEMDE6D.exe	33
PID 2772 wrote to memory of 2608	2772	DEMDE6D.exe	33
PID 2608 wrote to memory of 1412	2608	DEM3459.exe	35
PID 2608 wrote to memory of 1412	2608	DEM3459.exe	35
PID 2608 wrote to memory of 1412	2608	DEM3459.exe	35
PID 2608 wrote to memory of 1412	2608	DEM3459.exe	35
PID 1412 wrote to memory of 1076	1412	DEM899A.exe	37
PID 1412 wrote to memory of 1076	1412	DEM899A.exe	37
PID 1412 wrote to memory of 1076	1412	DEM899A.exe	37
PID 1412 wrote to memory of 1076	1412	DEM899A.exe	37
PID 1076 wrote to memory of 2896	1076	DEMDE9C.exe	39
PID 1076 wrote to memory of 2896	1076	DEMDE9C.exe	39
PID 1076 wrote to memory of 2896	1076	DEMDE9C.exe	39
PID 1076 wrote to memory of 2896	1076	DEMDE9C.exe	39
PID 2896 wrote to memory of 1796	2896	DEM34A7.exe	41
PID 2896 wrote to memory of 1796	2896	DEM34A7.exe	41
PID 2896 wrote to memory of 1796	2896	DEM34A7.exe	41
PID 2896 wrote to memory of 1796	2896	DEM34A7.exe	41

C:\Users\Admin\AppData\Local\Temp\d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe
"C:\Users\Admin\AppData\Local\Temp\d2a7b517477f45ff6ceeeeb62e74d77feb110aed5cb084eab137b6941836f814.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDE6D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\DEM3459.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3459.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\DEM899A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM899A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\DEMDE9C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE9C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\DEM34A7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM34A7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\DEM89B9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM89B9.exe"
        7⤵
        Executes dropped EXE
        
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3459.exe

Filesize
20KB

MD5
58a4aed746e962bc1742a4c32c4fb299

SHA1
0297ffab09ba1bcfe10f13730406f92eb27250a7

SHA256
ad8c7395c244d5b0e8c49af761b0a0e71d6cbea333dc31b075e33bee5a2ccafa

SHA512
fdd2416b0491e93506bbdbdd5b43d36aed58ddb8aa9f5e47e34982aaa391ec87e147a41997db30e48739c1fc3aac3bbd2dcf3fb153bc351e58e14a6ce84ec81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM34A7.exe

Filesize
20KB

MD5
98c6136f15cc53926f06e8ba64818a75

SHA1
bd5a957dd827487b42c887122984e58250d80bd7

SHA256
3e403e3f326c6a84cc338f36afa358a676d6d331fe846547cd1314c9aa0b07c0

SHA512
d4fb43a6167ab94cb2d326bb26488556a1a20fb0e6fc54bf1951a20ad9106a8cd5c44d91aa3e7f32f59ea6bce783078cc8917d2164af47bb8fef130fb3fef21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM89B9.exe

Filesize
20KB

MD5
070156ab5dabd1ea79cffb00325dad7b

SHA1
6eeb763f1bdbef91228158906d5e8aae11de274e

SHA256
d44cd230e4325943263d807cb3cf3064d6450393b040307b5ac72c83c503d00c

SHA512
ba283d11ded6e719c8b654b92381376f4450e2c70601da0c6413e60d3b04403a29c25e80b8954acafea1b27ed17620afb2d8e89c3b52319df417aaa212a05c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDE9C.exe

Filesize
20KB

MD5
c600cf1d5fd42e3f4f6ed546bd4c8354

SHA1
d364a48ca594aae7c766393029a495ef9b91eccd

SHA256
c6363942c3530c1b8c9bd4373fa79978274d838454c16e5e88ef7d7725785891

SHA512
06feeef9466075108d1d4606d675b7b21953d96b5ef708fcc8bc3b6c189ec4e030580b5b79ad8cf1f80769ed55d32c5c51849e9a0284ae74dde80c7251afc45c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM899A.exe

Filesize
20KB

MD5
c42e4a10993e4155a8cc78204e6b0036

SHA1
d2d973c69c10414e1e6b24e8a99d4483d4cdb1c2

SHA256
d49e1fede979ad5a24adcb1af153efe9f6673f0862d5e8750ed327fedb6a98b1

SHA512
c16387e4361f00d7b268821e14d4ee02869914a92dd1ac0bf9a43fc28e4c21dca7a07a20231065e0d394580d546cf876b710de09b1b1daaf143f0a54cec1b4d3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDE6D.exe

Filesize
20KB

MD5
8e7ed7ff9d7905063c7f1f2094a7fcfa

SHA1
a35e0e0320f322908daad0a637b8bea467d69772

SHA256
72ef1c9583efdd63f4afe3fabf3803416fc858f5e74eab4b0022c5a42d5dee34

SHA512
4a8e0143196c5d21f6e6b79cd52dbac81e5dccf6aded5ee8c1dec0ff4747a4d78766a6472cde173eb51090a3217f8001e930d0c5437b90e9bded474ae696045a

Download Submit

Analysis

Sharing