193f5d859c69b65babbf2b4e38b078632c38943aa64c5ce9b8e25bdb1b8742e4

General

Target

1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
Size

13KB
MD5

baf0690f5e83cdda90259d99be123ec4
SHA1

87ac210437e66262017586df412a5c523107a4d8
SHA256

1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590
SHA512

6b753f7cba1dae7a0ef4f6f1781cdbe7250e29466333d5b509eef16d46c05851d8aa6c608e25dbe9b2c681bdd233d0682fdc3fabd8a94221ac37174c557c737b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhLZ:hDXWipuE+K3/SSHgxD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2184	DEMAEC6.exe
2708	DEM3E7.exe
2612	DEM59D3.exe
1784	DEMB00D.exe
2028	DEM56D.exe
2464	DEM5AFC.exe

Loads dropped DLL 6 IoCs

pid	Process
2508	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
2184	DEMAEC6.exe
2708	DEM3E7.exe
2612	DEM59D3.exe
1784	DEMB00D.exe
2028	DEM56D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAEC6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM59D3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB00D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM56D.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2184	2508	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	32
PID 2508 wrote to memory of 2184	2508	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	32
PID 2508 wrote to memory of 2184	2508	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	32
PID 2508 wrote to memory of 2184	2508	1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe	32
PID 2184 wrote to memory of 2708	2184	DEMAEC6.exe	34
PID 2184 wrote to memory of 2708	2184	DEMAEC6.exe	34
PID 2184 wrote to memory of 2708	2184	DEMAEC6.exe	34
PID 2184 wrote to memory of 2708	2184	DEMAEC6.exe	34
PID 2708 wrote to memory of 2612	2708	DEM3E7.exe	36
PID 2708 wrote to memory of 2612	2708	DEM3E7.exe	36
PID 2708 wrote to memory of 2612	2708	DEM3E7.exe	36
PID 2708 wrote to memory of 2612	2708	DEM3E7.exe	36
PID 2612 wrote to memory of 1784	2612	DEM59D3.exe	38
PID 2612 wrote to memory of 1784	2612	DEM59D3.exe	38
PID 2612 wrote to memory of 1784	2612	DEM59D3.exe	38
PID 2612 wrote to memory of 1784	2612	DEM59D3.exe	38
PID 1784 wrote to memory of 2028	1784	DEMB00D.exe	40
PID 1784 wrote to memory of 2028	1784	DEMB00D.exe	40
PID 1784 wrote to memory of 2028	1784	DEMB00D.exe	40
PID 1784 wrote to memory of 2028	1784	DEMB00D.exe	40
PID 2028 wrote to memory of 2464	2028	DEM56D.exe	42
PID 2028 wrote to memory of 2464	2028	DEM56D.exe	42
PID 2028 wrote to memory of 2464	2028	DEM56D.exe	42
PID 2028 wrote to memory of 2464	2028	DEM56D.exe	42

C:\Users\Admin\AppData\Local\Temp\1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe
"C:\Users\Admin\AppData\Local\Temp\1c2cc13b41bc986a24633037748c3359371b620e9e65f0f9d5911c60f1fe5590.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\DEM3E7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3E7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\DEM59D3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM59D3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\DEM56D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM56D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\DEM5AFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5AFC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3E7.exe

Filesize
13KB

MD5
2bdc766a9f1da7aa4e4e0a1d46712a87

SHA1
ceb6179c8899b62245a91f6a85e6287e643f218b

SHA256
d036dd299312a8afa4130703f7d14cb5faf3be5e1097ce6d46a085c0e13aec41

SHA512
9a707cf77f12a9061dcd55b0961ed427a1d638e80a6eeb28d11a53b492fd5b84eec513b94e50012692ff50984c6957194e40d2ab6160d1aa28025b785420b770

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe

Filesize
13KB

MD5
8eec4e56a7ee1b36c1b9969df3cc9b55

SHA1
2ef9615697b4facd9446e6bcf2f2aaedf6efd205

SHA256
22bd331b73e440b038f40a042a17486667418231aa2e8182592b9a3d638f6f6d

SHA512
ec7d5e6294c602cafd805558c8028b70aa518305b74b17af0c03a753063669788297cb488985606a06eee65c286c6291193834023b81246144a32bf451bee8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB00D.exe

Filesize
13KB

MD5
ee3fd926d5895c0f674c227f231e1085

SHA1
f7e2fc5a247805a97f076aa13e8db8a6f5f7fa90

SHA256
47fca3112a0f9b83414afaa6753636aba5a56efb9bfa9776f07ad4d75d10bff5

SHA512
34b4d313044c2fe9c4af0184e62e1810938032bef66fc47c543658b5d0a9269d5d6cd8f7d90547da0ba511f9e5668d3825c91fa7eb4facb1305d49d8588b6183

Download Submit
\Users\Admin\AppData\Local\Temp\DEM56D.exe

Filesize
13KB

MD5
52de2808abc38792e0cb6854a00c3e2f

SHA1
c6776ec55edcc0b252577491533879412b0e5320

SHA256
9664934c7a5973d88091a61b9549acb86eb8163fc9f3214e00b23dce381c8e02

SHA512
33e7a196cc8010192c7107c93e1eb1bb934842b536d0e07fcdfede4633829f8fd721202ecc5387bbd2380baa35454bbaec5be15550ce759f6029d0caa221abe9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM59D3.exe

Filesize
13KB

MD5
7afe491b4c92b95b6bfc7295d7ab6b23

SHA1
7573a85b9a792ca8db45beba10c2cd15d1dee3bc

SHA256
15a5b8600b1324aafe994d4952b143e70b48d73b87ddb85ef46098ae6c511038

SHA512
97295f1a4f226fcf464c68d4a827a5931e67ea761f5610fcd7a8c8c2bf4b86a604f840012464c144c392caf475edad1da7cc07488cfc2797c72cd9455f2c31c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5AFC.exe

Filesize
13KB

MD5
d60fd143f3c226d2be30267454b313af

SHA1
f010269df813b04ad1a17503d97753a7671f97ea

SHA256
f8835959d34b211c30073c3e065aef516c17e21b101106fba15a7458dfb052d8

SHA512
21e678b20e257187295ac21d642607253e4f11b16dd696322d2d8f66b571a762cb4ccc547c2cd855615d2f193c97480f93b2bd3303eec2608fec987607073f6b

Download Submit

Analysis

Sharing