d5edd3f923c602dcfe80ea515fab7c8733807c3bebc8d510f9f59f662b11e8aa

General

Target

09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe
Size

16KB
MD5

6c509a14710232fa7eb42cdb0994a423
SHA1

27d30ec9d02aa996af0fda500dd9a95d0e651abf
SHA256

09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99
SHA512

60a022dee7eec893d9e23bc41bd114f222423f4ef05b66afbcd22f95c479d3429de1c0ff85a8d3df349bcbed0501bae5e3db146c38aa64de3f25a19642aa3186
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR3W2z3X4:hDXWipuE+K3/SSHgxrW2zo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2716	DEME1C7.exe
2712	DEM3765.exe
2652	DEM8C96.exe
1416	DEME234.exe
2840	DEM37E2.exe
2836	DEM8DDE.exe

Loads dropped DLL 6 IoCs

pid	Process
2948	09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe
2716	DEME1C7.exe
2712	DEM3765.exe
2652	DEM8C96.exe
1416	DEME234.exe
2840	DEM37E2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME1C7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8C96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM37E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2716	2948	09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe	32
PID 2948 wrote to memory of 2716	2948	09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe	32
PID 2948 wrote to memory of 2716	2948	09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe	32
PID 2948 wrote to memory of 2716	2948	09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe	32
PID 2716 wrote to memory of 2712	2716	DEME1C7.exe	34
PID 2716 wrote to memory of 2712	2716	DEME1C7.exe	34
PID 2716 wrote to memory of 2712	2716	DEME1C7.exe	34
PID 2716 wrote to memory of 2712	2716	DEME1C7.exe	34
PID 2712 wrote to memory of 2652	2712	DEM3765.exe	36
PID 2712 wrote to memory of 2652	2712	DEM3765.exe	36
PID 2712 wrote to memory of 2652	2712	DEM3765.exe	36
PID 2712 wrote to memory of 2652	2712	DEM3765.exe	36
PID 2652 wrote to memory of 1416	2652	DEM8C96.exe	39
PID 2652 wrote to memory of 1416	2652	DEM8C96.exe	39
PID 2652 wrote to memory of 1416	2652	DEM8C96.exe	39
PID 2652 wrote to memory of 1416	2652	DEM8C96.exe	39
PID 1416 wrote to memory of 2840	1416	DEME234.exe	41
PID 1416 wrote to memory of 2840	1416	DEME234.exe	41
PID 1416 wrote to memory of 2840	1416	DEME234.exe	41
PID 1416 wrote to memory of 2840	1416	DEME234.exe	41
PID 2840 wrote to memory of 2836	2840	DEM37E2.exe	43
PID 2840 wrote to memory of 2836	2840	DEM37E2.exe	43
PID 2840 wrote to memory of 2836	2840	DEM37E2.exe	43
PID 2840 wrote to memory of 2836	2840	DEM37E2.exe	43

C:\Users\Admin\AppData\Local\Temp\09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe
"C:\Users\Admin\AppData\Local\Temp\09691c47117fd955ff2c70b72e2a4bec8c91f43edcff97340f504b17821fcc99.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME1C7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\DEM3765.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3765.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\DEM8C96.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8C96.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\DEME234.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME234.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\DEM37E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37E2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\DEM8DDE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8DDE.exe"
        7⤵
        Executes dropped EXE
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3765.exe

Filesize
16KB

MD5
ff42e5984139f0c520a23bd42a553c4f

SHA1
c75410d303f56e8444f720986993d0fbd5b14fc2

SHA256
784cc8735bbe4d45810d3230b2fbbd7addc03cf57495b2f4a7a5b5b63aee2ad7

SHA512
c59071925488d93b29e3ede8701c160a5eaf7e21b40159315e5bced08b12268b63b63dd9fe84e577d6ba39a84f189c8f2ae988a1d2c8b4799c11bd91cd8956ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM37E2.exe

Filesize
16KB

MD5
49c0e21d2762df47786a053b0618e364

SHA1
99cf3c2e3cede89af486c80b8a00cd3cf3bc091d

SHA256
56a1d3e86a3dfcdc048b43e4cf1c65d6b619b36dae2661abfeb9fbc2879391a6

SHA512
a06df5cc6a522d5efdc5f6f28f3d450242eb963058d1567f936cd27c564e282cd888c1421199de689d7fcaa4a19e57d44d71663a101c07e6e3ed663c6d82a3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8C96.exe

Filesize
16KB

MD5
5090115391438a7d276253cf3e661bbf

SHA1
720d52f927a06ebcc05e499446f53a359654dda3

SHA256
da6fb613b9f96513765080919322c094a86421701f236918401a2f107c609d50

SHA512
04cd353f98dc7cf085e404468c7a17ecc94240c295a5689a23343e50397ecaa74b63e2092bd246fa97a34ec99a897eb5fc70259e7f9e1f08a2d3d01a6f39ca4d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8DDE.exe

Filesize
16KB

MD5
3b140d15461505a7e5ec1e9b51c0d6cc

SHA1
8ff85d2af26a7c65ba6783124790965503b25c87

SHA256
cc15562e9c2a9526ccce3b1e978247dd389090371495bc609e811de5590add08

SHA512
eeba4609ea7139e7127b27f64bfd0ceb418f2cf2868dc85315f4bc159762417657f9ef49de56fa9fa33871ac3eab794f3ed0ec705423d63cffc6dbac67d760e5

Download Submit
\Users\Admin\AppData\Local\Temp\DEME1C7.exe

Filesize
16KB

MD5
645af057c4ba6b47f46631522e9a66a0

SHA1
3a407668f3ef0f7ce670379b99c28d935ae7514d

SHA256
47a55422a11d3f05ff347b363973ab3305b8642dd850234754040f6f7e925098

SHA512
260bb772036d84f26f70c9aa863887d9726c969bbad9e0c2117e58163a4134481b213019233a9f077115e7f6ef5708cb51b4d9628c9f04a2c2a1edad285cbed2

Download Submit
\Users\Admin\AppData\Local\Temp\DEME234.exe

Filesize
16KB

MD5
beedb7e661b7b527e52c1a70de9c8944

SHA1
7b0732cd50fbb8d772528b5406732b4840a73606

SHA256
b29c8fcd4fb1ac5046e998a8982db29af8650825556d326c3196fee0d6b3e492

SHA512
feaa6afaada1c3612048caa4251980b4ef9aa581d726b65fc1e5d3eed38e7d0c6385cb49fd2800bfcdfa0182d1ec877f9c4f1c9174489c3414e430f430281fd8

Download Submit

Analysis

Sharing