7de10250f2427c8b6f70558600034a3edc39ebc5829c31496efdf313c73f0e34

General

Target

5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
Size

15KB
MD5

7c58ed3ec40b9640da0426a8ec30efe5
SHA1

6d2b6b57e9ac6674e0ef5e98cee9fe0e54d9bd2b
SHA256

5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df
SHA512

78794b13879b2ce14042587d884b4a8765767de06587cdc5a979b11df00ac94ac8a0fe1b172ba5ad2f99390e5ca5f46ab91c56f2c33a5f2662d389505122c3b7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhid:hDXWipuE+K3/SSHgxLid

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2800	DEMF4DA.exe
2816	DEM4B81.exe
2944	DEMA1FA.exe
1088	DEMF798.exe
2988	DEM4DC3.exe
2068	DEMA4A8.exe

Loads dropped DLL 6 IoCs

pid	Process
2928	5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
2800	DEMF4DA.exe
2816	DEM4B81.exe
2944	DEMA1FA.exe
1088	DEMF798.exe
2988	DEM4DC3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF4DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4B81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA1FA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF798.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4DC3.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2800	2928	5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe	30
PID 2928 wrote to memory of 2800	2928	5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe	30
PID 2928 wrote to memory of 2800	2928	5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe	30
PID 2928 wrote to memory of 2800	2928	5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe	30
PID 2800 wrote to memory of 2816	2800	DEMF4DA.exe	32
PID 2800 wrote to memory of 2816	2800	DEMF4DA.exe	32
PID 2800 wrote to memory of 2816	2800	DEMF4DA.exe	32
PID 2800 wrote to memory of 2816	2800	DEMF4DA.exe	32
PID 2816 wrote to memory of 2944	2816	DEM4B81.exe	34
PID 2816 wrote to memory of 2944	2816	DEM4B81.exe	34
PID 2816 wrote to memory of 2944	2816	DEM4B81.exe	34
PID 2816 wrote to memory of 2944	2816	DEM4B81.exe	34
PID 2944 wrote to memory of 1088	2944	DEMA1FA.exe	36
PID 2944 wrote to memory of 1088	2944	DEMA1FA.exe	36
PID 2944 wrote to memory of 1088	2944	DEMA1FA.exe	36
PID 2944 wrote to memory of 1088	2944	DEMA1FA.exe	36
PID 1088 wrote to memory of 2988	1088	DEMF798.exe	38
PID 1088 wrote to memory of 2988	1088	DEMF798.exe	38
PID 1088 wrote to memory of 2988	1088	DEMF798.exe	38
PID 1088 wrote to memory of 2988	1088	DEMF798.exe	38
PID 2988 wrote to memory of 2068	2988	DEM4DC3.exe	40
PID 2988 wrote to memory of 2068	2988	DEM4DC3.exe	40
PID 2988 wrote to memory of 2068	2988	DEM4DC3.exe	40
PID 2988 wrote to memory of 2068	2988	DEM4DC3.exe	40

C:\Users\Admin\AppData\Local\Temp\5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe
"C:\Users\Admin\AppData\Local\Temp\5761b48a873f44d6eb34916f429536e24a7f955f8a81ce006f93a863c1f8e7df.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\DEMA1FA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMA1FA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Local\Temp\DEMF798.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF798.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\DEM4DC3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4DC3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\DEMA4A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA4A8.exe"
        7⤵
        Executes dropped EXE
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe

Filesize
15KB

MD5
3c8024786380261cf91e98441a8e9719

SHA1
37d62f568ac0ef51d65ac83ab1fb8d2cde9d278f

SHA256
2896fb3845fbed649a4f223f526e7366d6a1cb2b21164de6806071fde178d117

SHA512
e6f99b5310b77180ca7b59fb79d5e535234fcdba4a89fe2b111191eb9cec8729af8bce87673d7d71a9c696722c9394ea5be7e4e32861e178763703c22c5e8c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF4DA.exe

Filesize
15KB

MD5
478d0ccd8cbeb48ff04472ac71f0a96e

SHA1
ca5805a0161f0eea0959220c87bec2955e2b1aff

SHA256
48db47cba87942431da05780becabf95be0dbafbb2b4efa27367f6e63ac97d54

SHA512
7c4ee38937c0c3d8a064945ef807376bf14694256957875d39b9105f7e85992e6684d6a12568a35913f497eed07154e4d056843f967c1adbef6b10859ff43369

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4DC3.exe

Filesize
15KB

MD5
c632e21e1d93f7d1b997a2b9b8a9430c

SHA1
63be0ef207cfd8ede9fce55f4855ea3cad56181b

SHA256
f242c26080698f77c1843e1bfd67aa21dd9827cb1a57bba11b54a5a0967682fe

SHA512
7e98611918705e92c0571c4c5f5f427d9a5db3e39368c2002376d094287532964c7dcd11d62ad33d29265fc414987f643d1fca7e03820d9ec3a4009e8f7b69bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA1FA.exe

Filesize
15KB

MD5
5cb03230451962a76aea1f2913706f9e

SHA1
4c4cffdd3728c37c0e30321a1838da25917f1a12

SHA256
1c93fa024f38c57b303e2121934f3855c427d04d403e53518c72fbb22434330b

SHA512
dd297cd560b39e5f3f414bb72005f6c1016a125931e3e6eeedfadc6cee96290fa1c9207241f23bc7223ec72bf36460901290436e3b407136d48972d34ef2ba57

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA4A8.exe

Filesize
15KB

MD5
6da42d60be23d57c7f1869493b09ebe1

SHA1
0fbdc6a4f0e822855464d4db4b1c334fccc6286b

SHA256
6d554be00f815a1d452e9c17360eec3241a0c0df203ab9082508a6b46da5c009

SHA512
482ebbb8f5988a6b0d099c97fe0e19e3cdc41bc66527be93100d60986a581088840da7ae0117149613e8cfc62e1d9bcc97a557c17dcebb4fd77244ae79c7b555

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF798.exe

Filesize
15KB

MD5
9342496341eaf56c7f2a4827ce1ee68f

SHA1
d5d540297c11cac34a955e66ffb8a7c1d1d42fde

SHA256
7ada155e2ab7e3fde0074b17e2a1410aeed6a078c9c05abcdc2bbf77eb3b9730

SHA512
1f00ef1f34834e36b56c12e9e77ee1949984150b1a21d6fbed2c06da1881c95026503a5e79bf3719b695ade6b1dd177aa8f21b6d1a39880e91d0e05bf324c363

Download Submit

Analysis

Sharing