2896d3820bdba7e16391472b0ba4e6859d00617c7ea0942bb09aa9e3bb5e9aff

General

Target

4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
Size

15KB
MD5

1a66883e197b07a279cc71e3aa581702
SHA1

c0ff3eb7efc04e621749223909ca31663604adb7
SHA256

4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6
SHA512

e55e9a3248207f3f8bcdaabc48d57023c963883beea5354dba6a8bf718812c614871b12f6f0ab3c1aacc89f84fa7205da7ded0ecd278dfe3b7e7941834fa3809
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5X/EmW:hDXWipuE+K3/SSHgxm5sX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2728	DEM2B83.exe
3016	DEM80A5.exe
2968	DEMD5B6.exe
1696	DEM2AF7.exe
2148	DEM8018.exe
2348	DEMD53A.exe

Loads dropped DLL 6 IoCs

pid	Process
2676	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
2728	DEM2B83.exe
3016	DEM80A5.exe
2968	DEMD5B6.exe
1696	DEM2AF7.exe
2148	DEM8018.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD5B6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2AF7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8018.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2B83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM80A5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2728	2676	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	31
PID 2676 wrote to memory of 2728	2676	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	31
PID 2676 wrote to memory of 2728	2676	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	31
PID 2676 wrote to memory of 2728	2676	4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe	31
PID 2728 wrote to memory of 3016	2728	DEM2B83.exe	33
PID 2728 wrote to memory of 3016	2728	DEM2B83.exe	33
PID 2728 wrote to memory of 3016	2728	DEM2B83.exe	33
PID 2728 wrote to memory of 3016	2728	DEM2B83.exe	33
PID 3016 wrote to memory of 2968	3016	DEM80A5.exe	35
PID 3016 wrote to memory of 2968	3016	DEM80A5.exe	35
PID 3016 wrote to memory of 2968	3016	DEM80A5.exe	35
PID 3016 wrote to memory of 2968	3016	DEM80A5.exe	35
PID 2968 wrote to memory of 1696	2968	DEMD5B6.exe	37
PID 2968 wrote to memory of 1696	2968	DEMD5B6.exe	37
PID 2968 wrote to memory of 1696	2968	DEMD5B6.exe	37
PID 2968 wrote to memory of 1696	2968	DEMD5B6.exe	37
PID 1696 wrote to memory of 2148	1696	DEM2AF7.exe	39
PID 1696 wrote to memory of 2148	1696	DEM2AF7.exe	39
PID 1696 wrote to memory of 2148	1696	DEM2AF7.exe	39
PID 1696 wrote to memory of 2148	1696	DEM2AF7.exe	39
PID 2148 wrote to memory of 2348	2148	DEM8018.exe	42
PID 2148 wrote to memory of 2348	2148	DEM8018.exe	42
PID 2148 wrote to memory of 2348	2148	DEM8018.exe	42
PID 2148 wrote to memory of 2348	2148	DEM8018.exe	42

C:\Users\Admin\AppData\Local\Temp\4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe
"C:\Users\Admin\AppData\Local\Temp\4e4010c3961d59d5236bd596364f21f54b7a0ee84959abd847a219be3f0771f6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\DEM2B83.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2B83.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD5B6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\DEM2AF7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2AF7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\DEM8018.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8018.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\DEMD53A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD53A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM80A5.exe

Filesize
15KB

MD5
442ed9059c90c6c38d48a1bc3171e36b

SHA1
d39a883f541235adc81854a3d3ebe3321ad815f0

SHA256
329c670d4a6e7c28a69dd52fa3805149c59491a100dae1f7a4035bc72b377b11

SHA512
d21612ae0e2c048e6ef5ce0f62a14de59e6e7ae9917e77c0c2b1e2babd2926d6aaa226408cf56b574a8a42d6b1506bdc31d09589015fbba3ab6cdfe2c68630d2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2AF7.exe

Filesize
15KB

MD5
719f37a07f07af20ae788e8019f4b656

SHA1
3d6cb19d2900ed34f130556e894610ab242d290b

SHA256
aa220989d0a56405dc628906359c30c555792aa945c70f081bdc7c99b0e0d044

SHA512
7139805e17ce43ee9437f1e22725f86d88b38c4bbcfc72bce4f24280313e28e6a4ec3c51c08880ec25ebae770a490eb43b36f2dd237a0b1781d369d4bbf02ac9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2B83.exe

Filesize
15KB

MD5
7034737f15c24a4a18ab11c20758413b

SHA1
2dd53ee2ac6bb791d0801356fc0066dfcbe73ebe

SHA256
f797816c910d8f22a710359f604ca980482b8ccaba11664a1132af1ebb6debe0

SHA512
d7192b619089927b30fe76c46c39f90150b9d9a0132cdc8716ca5650df3addd5ee5e4c570c93cdfa894b411647cab3b99176e5fbe68b0221cd3f680d810199f2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8018.exe

Filesize
15KB

MD5
19b6221c9a68af4c7435fb9f2a1f4ac1

SHA1
88ced4e5d63e947083d6877eef07f004260a92e4

SHA256
06aa6825808c7e33c590d68036920c5db4d65b1262123376136e6998ae19f52b

SHA512
d98040ad6cee9f265a95f0e4ff7eea77025ea59592b647d4a9dd594fbf3daed21dfac96b347c84e9a848e365b0efe6cf9e82d42c36c1a3b5a043087f1ad6dd88

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD53A.exe

Filesize
15KB

MD5
18f25e14cf63eb64576f4ef410533b41

SHA1
3bbbdb2dd532bd2c9d456a92157d3e83335db4da

SHA256
5738c0bd70b129b5045e64cd98583a39ebcfb089a1ebca76d79e655383d6307b

SHA512
db894ee0783e89c0056abc4d1cd0a94a4f354b1fcb693ecbb4f48ef98948e987f4db4ae7e29eb45bf96c54fc0738e32cb199b4474744d9abbd8db54bf59e8ccf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD5B6.exe

Filesize
15KB

MD5
74a846e1b42338aff9a8d8fbf78ba232

SHA1
c3bdd59803fddd2c85683366a8772bc8f5291a21

SHA256
67cad5daf8814466dccb5af297ab5dca1ddd9bc7bf1a86db42ab74d54ce1241f

SHA512
98e7b24bb944dbf6793c03a41f41b7c525bcc23965770dced3f486d0be669eecdad121d48fc2677406531c579bbdcddb47a1dc9454b61831e21706a8c8216923

Download Submit

Analysis

Sharing