f5454de6d5b6961bc2a7cd684ecda92adc27d510d8845d9e21b9f3659ee9e5e1

General

Target

0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
Size

14KB
MD5

9b81c08743680fb1110c010220bcc622
SHA1

8299cd0ea14352c190fc45bbb217fb37221bc671
SHA256

0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b
SHA512

174128cf347d10b37af7943f89d631ed2d5262c1913262f8338a4a868a12e3c1f3bc7e7828cc1ff385e26eb01cfad7e07cb2645f718e933647f8f855ff593b94
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBx:hDXWipuE+K3/SSHgxlFBx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1980	DEMB56A.exe
2736	DEMABA.exe
2628	DEM6039.exe
1432	DEMB635.exe
2140	DEMB85.exe
2456	DEM6171.exe

Loads dropped DLL 6 IoCs

pid	Process
2500	0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
1980	DEMB56A.exe
2736	DEMABA.exe
2628	DEM6039.exe
1432	DEMB635.exe
2140	DEMB85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB56A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMABA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6039.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1980	2500	0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe	32
PID 2500 wrote to memory of 1980	2500	0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe	32
PID 2500 wrote to memory of 1980	2500	0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe	32
PID 2500 wrote to memory of 1980	2500	0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe	32
PID 1980 wrote to memory of 2736	1980	DEMB56A.exe	34
PID 1980 wrote to memory of 2736	1980	DEMB56A.exe	34
PID 1980 wrote to memory of 2736	1980	DEMB56A.exe	34
PID 1980 wrote to memory of 2736	1980	DEMB56A.exe	34
PID 2736 wrote to memory of 2628	2736	DEMABA.exe	36
PID 2736 wrote to memory of 2628	2736	DEMABA.exe	36
PID 2736 wrote to memory of 2628	2736	DEMABA.exe	36
PID 2736 wrote to memory of 2628	2736	DEMABA.exe	36
PID 2628 wrote to memory of 1432	2628	DEM6039.exe	38
PID 2628 wrote to memory of 1432	2628	DEM6039.exe	38
PID 2628 wrote to memory of 1432	2628	DEM6039.exe	38
PID 2628 wrote to memory of 1432	2628	DEM6039.exe	38
PID 1432 wrote to memory of 2140	1432	DEMB635.exe	40
PID 1432 wrote to memory of 2140	1432	DEMB635.exe	40
PID 1432 wrote to memory of 2140	1432	DEMB635.exe	40
PID 1432 wrote to memory of 2140	1432	DEMB635.exe	40
PID 2140 wrote to memory of 2456	2140	DEMB85.exe	42
PID 2140 wrote to memory of 2456	2140	DEMB85.exe	42
PID 2140 wrote to memory of 2456	2140	DEMB85.exe	42
PID 2140 wrote to memory of 2456	2140	DEMB85.exe	42

C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe
"C:\Users\Admin\AppData\Local\Temp\0f5211519d8197a98fea6275c9191fc59673ee63e3ae5d13a178b50e6e84c13b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB56A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\DEMABA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMABA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\DEM6039.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6039.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\DEMB635.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB635.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Users\Admin\AppData\Local\Temp\DEMB85.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB85.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\DEM6171.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6171.exe"
        7⤵
        Executes dropped EXE
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6171.exe

Filesize
14KB

MD5
aaaaf814cdfba905da8bd3732ab6b4b6

SHA1
caede729f802fb24eb1f05be0c3a5788d9f97d22

SHA256
61a1ad9075bd7620ac3f3f9058adf3f9d0f9389517c25a3683a8178cb706ebbb

SHA512
b17587c44c0b296547055fe881a33ca77702f0b472856d7ed54f3e9d037cc869b4dce6e4497b160686dc72d50618bfdeeaf931cc0f25d751f198daf15535dea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMABA.exe

Filesize
14KB

MD5
acff9205ada627875487cbef323bef64

SHA1
d03c0a128edc72992f9d0b7f8a872911e1803c9d

SHA256
6667e9e5f9e2cd4778a2729964e17f051637629063300eb054788dc1c4c4d674

SHA512
926294968634c05807985ab3fbc18cf58a5e0133553aeeb269e0917a377f5a77392e231621b24a935cc2c49801e4f92a1d0e338f55423b738b60eb7c8cfd243d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6039.exe

Filesize
14KB

MD5
ff5135757c7216f92e3b1b7db84f198a

SHA1
e205b87a43392897ba76463b559d9bab96f9e318

SHA256
e31eaa24d79c5fb32b4a4822cea35db83dc3acb9622bbed215aac4c1cf4306c4

SHA512
4d3213ca6517b6182cba6bb8ec10f873a390a2b9b676f7f6e984c80d8adbeebd4231ef3323890b8bc9341bc15a5da200f23b8cdfd34d544776574a32775e5fe9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB56A.exe

Filesize
14KB

MD5
a918e04d9e07135b4e99164f41823bc9

SHA1
0ad47037d1a861ab45a6ea3a5317aec1dd9c77e4

SHA256
e1ddee83badb7cb80664fd9c0f02ac8f37d7dbd80bc11ab91079c158ade3ce99

SHA512
99f9a04f7badcb0ad916baf001565118740e21dd56b2451c13b9ecbe7a6bd10a72c8d8386e32aaea51a15cb7c5fde445f5e3f8edfe1b835d7664296efb715020

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB635.exe

Filesize
14KB

MD5
e63aa967d8957046c755951d0e5df08d

SHA1
dfef4306a3b08e0649c3d3460687e9cd6dc8564e

SHA256
f5ba3557c6e1e14bbf4059ac04f53d449ecc64c7811959f13438facc68dfc184

SHA512
3e7dfefdc9b86ae4fa161928c90452a01fdae6389158f6c0a2e6eebcef84df02ab6dbe649234038e85fbc2d326b1a60d9fbe025e56601c035689dac4aff759ac

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB85.exe

Filesize
14KB

MD5
37e5922637ee81d2854b8e0fb977a0ec

SHA1
2dcdfb40bf5faa9e39b8008f48db9d97de164626

SHA256
f30dff05526d9a70a236835c2cc2cae569fcd8bb7e39068233ce6ec9a8244e52

SHA512
42ec8f291bf56cdbb39be1ef828ea60d27c4ac54f768683906e588844bdb98c0ba23979f08b395bf7692fafe14fcef9edc5dab04e1c3be6998c5a51a32df2839

Download Submit

Analysis

Sharing