003291b532c939c57beb986b7c9eb8dad307832000680ac66136c2c88015e3e2

General

Target

1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Size

16KB
MD5

cc469f137221fe0f88526c416d767d46
SHA1

adaf54c0a7d8eec727b7668d01089ff87c9cb744
SHA256

1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6
SHA512

40d355a5e683fb0f534259dcc6e8f8016594aba6b03ff6b29ce75cb8ad5b9a93330637c345e01f821e5336c0e9978d553eb2a87d9fabd787443a5928735aa1f6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlF:hDXWipuE+K3/SSHgxmlF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2140	DEMEABC.exe
2804	DEM401C.exe
2580	DEM959B.exe
860	DEMEB49.exe
2604	DEM406A.exe
988	DEM95CA.exe

Loads dropped DLL 6 IoCs

pid	Process
1780	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
2140	DEMEABC.exe
2804	DEM401C.exe
2580	DEM959B.exe
860	DEMEB49.exe
2604	DEM406A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEABC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM401C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM959B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEB49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM406A.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2140	1780	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	32
PID 1780 wrote to memory of 2140	1780	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	32
PID 1780 wrote to memory of 2140	1780	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	32
PID 1780 wrote to memory of 2140	1780	1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe	32
PID 2140 wrote to memory of 2804	2140	DEMEABC.exe	34
PID 2140 wrote to memory of 2804	2140	DEMEABC.exe	34
PID 2140 wrote to memory of 2804	2140	DEMEABC.exe	34
PID 2140 wrote to memory of 2804	2140	DEMEABC.exe	34
PID 2804 wrote to memory of 2580	2804	DEM401C.exe	36
PID 2804 wrote to memory of 2580	2804	DEM401C.exe	36
PID 2804 wrote to memory of 2580	2804	DEM401C.exe	36
PID 2804 wrote to memory of 2580	2804	DEM401C.exe	36
PID 2580 wrote to memory of 860	2580	DEM959B.exe	38
PID 2580 wrote to memory of 860	2580	DEM959B.exe	38
PID 2580 wrote to memory of 860	2580	DEM959B.exe	38
PID 2580 wrote to memory of 860	2580	DEM959B.exe	38
PID 860 wrote to memory of 2604	860	DEMEB49.exe	41
PID 860 wrote to memory of 2604	860	DEMEB49.exe	41
PID 860 wrote to memory of 2604	860	DEMEB49.exe	41
PID 860 wrote to memory of 2604	860	DEMEB49.exe	41
PID 2604 wrote to memory of 988	2604	DEM406A.exe	43
PID 2604 wrote to memory of 988	2604	DEM406A.exe	43
PID 2604 wrote to memory of 988	2604	DEM406A.exe	43
PID 2604 wrote to memory of 988	2604	DEM406A.exe	43

C:\Users\Admin\AppData\Local\Temp\1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
"C:\Users\Admin\AppData\Local\Temp\1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\DEMEABC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEABC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\DEM401C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM401C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\DEM959B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM959B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\DEMEB49.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEB49.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\DEM406A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM406A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\DEM95CA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM95CA.exe"
        7⤵
        Executes dropped EXE
        
        PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM401C.exe

Filesize
16KB

MD5
84bf13208fdf63e72428ded3e19adb44

SHA1
8448bdda30c2cf8c894c0ec7f5808351da86d221

SHA256
ee15182c82936e5572844a102fc22a9269ecd350458942b681949d5295122a06

SHA512
3cf25b4d780bfe9d7886ec4cc0efc012b7247008b43fc94421fa900924a8007a3607310504cf5c26ff48c96d12350d7c3f4358b3b9813eec1bf13b9921371fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM95CA.exe

Filesize
16KB

MD5
551db657fabb817106110ebf15188323

SHA1
f8cdac91016e6c38204d118b811e90c9a489af0a

SHA256
263ab3b39367f36a7be30cdd847992186676ad38b7ec789b3d82b96d9bed00a2

SHA512
ab6fbf4755803e3832e0cf1fccf606d1eb1be53ce60e2ac6a5c24c9086c3458d134462eb7dc92e40f682f6ee95488e567475253292bdccb165af1c4bb70a8210

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEB49.exe

Filesize
16KB

MD5
fad11a578918010f4d66ee938ef6f6af

SHA1
1747ae191e8ef3f9bec938d9d1a3741d011849b5

SHA256
3f5f9b1257959e070b7e4f3474aeb6dd9b4915db18499a3698f76a586ba04337

SHA512
141a4e0ec321f3d56446055be71d1c2c55ca142d8f837b4c97e626e069b49bedab908fc3a567a72f6d3fc13a03dd84f96bb9bb3667aacb2cf8b9bf2120953921

Download Submit
\Users\Admin\AppData\Local\Temp\DEM406A.exe

Filesize
16KB

MD5
5b5dced2aeb40018a3c103cfab507bc0

SHA1
a2e7f2cf7e769973fbd49428e50363de46e59e16

SHA256
88e1e0a40f31e3fb50c5b74559cb911bef903e82ffd8597e9962314486130b3f

SHA512
45239c0cae332175d41a8ee174fbd39ba535ebc23eda2a0feb4f73613e8a969851afa678348c72f0ecfac96da39f35fe3e4d0f3b98fd28858f48c98e4479ab87

Download Submit
\Users\Admin\AppData\Local\Temp\DEM959B.exe

Filesize
16KB

MD5
bf77f2300d448be3586d9f187a17c452

SHA1
d2061d05dec6040c2df6b5222197d605331370e6

SHA256
f95da049e3a05c232c798dcd3927526df2ab006a6b4c4a3c2f9e9ed8ab4305d5

SHA512
f5ed98d422a5a0121f637476ae6c31897b8c627ec2926139bb2d505f25967d2dbb5e2d342b1b76ecb445d84f4494b5cbe50881606279fb2a3291b1515568149c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEABC.exe

Filesize
16KB

MD5
375a12e62fe76c048eb944458b2b193f

SHA1
101c95449be7d522493b23a126f34a4a96695c02

SHA256
4ec67bbe4c2ae04e807aeef6ee2c63a1040c506ca5b7a9d48e04e9b201dbfcd7

SHA512
fba599b683a0a4f2ca795361a6061ec87472afbe7da297d51032c4d507b6cc14b1230780a104171306a9a1863fe14635b7277022ec77e8712c525da143adb037

Download Submit

Analysis

Sharing