f3f2bf280118b51394bac97e52e499289020c0848c371c3c9a99bd465871f0d5

General

Target

84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
Size

14KB
MD5

26758226b02b56428050b0913a798ba4
SHA1

97a5f45a20dfd52878fd76326d35ecf5334e36c2
SHA256

84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56
SHA512

c1837ea8cb4341868e7a061193993fce2fee6097816b4bdf64b3183d8d76eb5856860555f3eae68cacaace72f1a421e02f1cb8d3005c055eb056787f40719489
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYfso+:hDXWipuE+K3/SSHgxmft+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2376	DEME0CE.exe
2796	DEM3708.exe
2972	DEM8CD5.exe
572	DEME2A2.exe
1756	DEM3820.exe
2176	DEM8DED.exe

Loads dropped DLL 6 IoCs

pid	Process
1984	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
2376	DEME0CE.exe
2796	DEM3708.exe
2972	DEM8CD5.exe
572	DEME2A2.exe
1756	DEM3820.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME0CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3708.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8CD5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME2A2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3820.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2376	1984	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	32
PID 1984 wrote to memory of 2376	1984	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	32
PID 1984 wrote to memory of 2376	1984	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	32
PID 1984 wrote to memory of 2376	1984	84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe	32
PID 2376 wrote to memory of 2796	2376	DEME0CE.exe	34
PID 2376 wrote to memory of 2796	2376	DEME0CE.exe	34
PID 2376 wrote to memory of 2796	2376	DEME0CE.exe	34
PID 2376 wrote to memory of 2796	2376	DEME0CE.exe	34
PID 2796 wrote to memory of 2972	2796	DEM3708.exe	36
PID 2796 wrote to memory of 2972	2796	DEM3708.exe	36
PID 2796 wrote to memory of 2972	2796	DEM3708.exe	36
PID 2796 wrote to memory of 2972	2796	DEM3708.exe	36
PID 2972 wrote to memory of 572	2972	DEM8CD5.exe	39
PID 2972 wrote to memory of 572	2972	DEM8CD5.exe	39
PID 2972 wrote to memory of 572	2972	DEM8CD5.exe	39
PID 2972 wrote to memory of 572	2972	DEM8CD5.exe	39
PID 572 wrote to memory of 1756	572	DEME2A2.exe	41
PID 572 wrote to memory of 1756	572	DEME2A2.exe	41
PID 572 wrote to memory of 1756	572	DEME2A2.exe	41
PID 572 wrote to memory of 1756	572	DEME2A2.exe	41
PID 1756 wrote to memory of 2176	1756	DEM3820.exe	43
PID 1756 wrote to memory of 2176	1756	DEM3820.exe	43
PID 1756 wrote to memory of 2176	1756	DEM3820.exe	43
PID 1756 wrote to memory of 2176	1756	DEM3820.exe	43

C:\Users\Admin\AppData\Local\Temp\84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe
"C:\Users\Admin\AppData\Local\Temp\84558690339b20106c00579b28c8779ceb8bf31de983accbaf4466b551906a56.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\DEME0CE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME0CE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\DEM3708.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3708.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\DEM8CD5.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8CD5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\DEME2A2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME2A2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\DEM3820.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3820.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\DEM8DED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8DED.exe"
        7⤵
        Executes dropped EXE
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3708.exe

Filesize
15KB

MD5
058bf932356925e4a0c161be4d40a32c

SHA1
bbe28a6c80f7975efa3fdf7fda1e560e857ccffd

SHA256
292681bbf2925ba6dffa60e75591ca9feb7cf1fc5c6443e0c511942687d9409b

SHA512
01d3ad96dfd75bd72b64988573042c76c156f611a45532cd7ce48899fc417f13ba42a1c5ed276d97b95e27db20ef512e11ec50ef650527c36fb127d36e82679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3820.exe

Filesize
15KB

MD5
8528c5496ffba969c8de218ead93f80a

SHA1
b93e60eff1f5e714b5264427ad093ff8fdc95f0f

SHA256
86a657a690e5531368f46ddda6aa23635c41d5b7218161882a6d1b33dbdef11b

SHA512
c5733ce08bbc631ee0c4439317766867901c493083d346f73df57c84331ac380c758cca29a45e62accf3218e1cf45abcefae4007941b963964bdc7a593c204ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8DED.exe

Filesize
15KB

MD5
1e27e810643e56eb256e40292c910168

SHA1
a914ffa6680870b53a2f97c78d4f26da883ce57d

SHA256
1f795a38da1fcef32fe95e2146725db6287ebc645f8968a3b326657e349f04f1

SHA512
b0686e7abf6a168a040e95b6742e7a8749781219b460916e5e659f94a2237eb534f6b0cc8876934b942e602a1fdebb409730692ec0ea1d9be882233a2b6ff796

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8CD5.exe

Filesize
15KB

MD5
0ddf69e8d8482cb3dfe732bfb882763a

SHA1
f983b90556cf17c4833e00ce5c8a8349c70e978e

SHA256
d64892cb74b6dad71f3e1449c9fa1e1693ec1849ea63518467d1732952782640

SHA512
1f11b0ba40e927316712def49a00987688f512902a6afac6895fae25328824cef1deae346a54a56ccc0768b3825205aa1d9ce2372c5edf01e398d485e11bc22c

Download Submit
\Users\Admin\AppData\Local\Temp\DEME0CE.exe

Filesize
15KB

MD5
ff8a7e2751b9c5741f5d9548ec77a9f8

SHA1
20c713e60d27dafe9ff1fb573a76b80d3fc82625

SHA256
abd909737a2d5afd19ad0e84851ca489fe76132fbb17cba397bb5d1be3dd7a69

SHA512
578996c09a52835db2600e2622c6f310735a866d9e1c26fd9981edb50d2d4cd30267a608b0efd8836ca289bb481d1d2a4ba513809fa98e1a355cad2c369576e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEME2A2.exe

Filesize
15KB

MD5
fd459b1d64bc383ccc5cca310cbb43cd

SHA1
c4b49a3be18e8cde509abb25fe91a8de0da6706a

SHA256
ec55572c7e234866f7fbb129254aac184154f041e488d48e1fab4ae6aa8b2189

SHA512
0ad8d98fe6b9b5b2d60c33cf928eedf3f981c3232e0650be8ae8e1a29ef4489ba10a6522687c1df0f7495089a4ffbe172dc501bc7fa3ad946eaab4e9673f6079

Download Submit

Analysis

Sharing