b2696ef9b38ab713dbd41fad108827df5bbc7b1d25b7e4cf4d6273c8fc73bd49

General

Target

20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
Size

14KB
MD5

17855629d7298cba9723eecb307fd72a
SHA1

a863acd15ba0bed0d0182d058faa408f74fa4dfa
SHA256

20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22
SHA512

ab773410c9ba81d7c3fe7ad6603b8609155a2d7dee7a0c5c292e4c895287da157b0176a5b41c9e12cea0add2572d7e74537e01bdfeb97df3aa5e83c3cd024cd0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq44+:hDXWipuE+K3/SSHgxmq44+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1716	DEMBCE9.exe
2744	DEM1287.exe
1208	DEM67D7.exe
2996	DEMBD18.exe
1740	DEM1278.exe
2336	DEM67D8.exe

Loads dropped DLL 6 IoCs

pid	Process
2296	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
1716	DEMBCE9.exe
2744	DEM1287.exe
1208	DEM67D7.exe
2996	DEMBD18.exe
1740	DEM1278.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBCE9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1287.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM67D7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1278.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1716	2296	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	32
PID 2296 wrote to memory of 1716	2296	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	32
PID 2296 wrote to memory of 1716	2296	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	32
PID 2296 wrote to memory of 1716	2296	20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe	32
PID 1716 wrote to memory of 2744	1716	DEMBCE9.exe	34
PID 1716 wrote to memory of 2744	1716	DEMBCE9.exe	34
PID 1716 wrote to memory of 2744	1716	DEMBCE9.exe	34
PID 1716 wrote to memory of 2744	1716	DEMBCE9.exe	34
PID 2744 wrote to memory of 1208	2744	DEM1287.exe	36
PID 2744 wrote to memory of 1208	2744	DEM1287.exe	36
PID 2744 wrote to memory of 1208	2744	DEM1287.exe	36
PID 2744 wrote to memory of 1208	2744	DEM1287.exe	36
PID 1208 wrote to memory of 2996	1208	DEM67D7.exe	38
PID 1208 wrote to memory of 2996	1208	DEM67D7.exe	38
PID 1208 wrote to memory of 2996	1208	DEM67D7.exe	38
PID 1208 wrote to memory of 2996	1208	DEM67D7.exe	38
PID 2996 wrote to memory of 1740	2996	DEMBD18.exe	40
PID 2996 wrote to memory of 1740	2996	DEMBD18.exe	40
PID 2996 wrote to memory of 1740	2996	DEMBD18.exe	40
PID 2996 wrote to memory of 1740	2996	DEMBD18.exe	40
PID 1740 wrote to memory of 2336	1740	DEM1278.exe	42
PID 1740 wrote to memory of 2336	1740	DEM1278.exe	42
PID 1740 wrote to memory of 2336	1740	DEM1278.exe	42
PID 1740 wrote to memory of 2336	1740	DEM1278.exe	42

C:\Users\Admin\AppData\Local\Temp\20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe
"C:\Users\Admin\AppData\Local\Temp\20150c55b21cd08f2f2749837243a80b48de256f978849fe75fe1f542d965f22.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\DEMBCE9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBCE9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\DEM1287.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1287.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\DEM67D7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM67D7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\DEMBD18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD18.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\DEM1278.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1278.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\DEM67D8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM67D8.exe"
        7⤵
        Executes dropped EXE
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1287.exe

Filesize
14KB

MD5
c42633b7b0f2c0a3528cc88fd6b927e9

SHA1
6881a01e69a207e0f8d29e322dd9819e79a6729d

SHA256
daa3a42c93e02e4746855d39832349ee09c708582a84039466bf3992d2b72b19

SHA512
30f61cc220fa6c6004887f7a438488431074024d12b139ae70f78131d31397abd1a2ce38760457f12c64de3172b6d0255c66ad523e247c181d119cd0dd084c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBCE9.exe

Filesize
14KB

MD5
4ea0114ccf37ebf3aa9e2364703fa7c6

SHA1
2f90d8adcb771dcd10f8f93791f4ea12182d3de9

SHA256
95fe881117a0d975d6e42f2f7bb3cfda4d718cac3a98c6d10842060a1e795358

SHA512
57d424fa2ed38ca0a299827dedc82063af09c22d7f1a7218842d85f7c122573ef53edd06867527f634c9d608e933428c6aff7a1535a8a63be2560644ace33090

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1278.exe

Filesize
14KB

MD5
ff80d05b5f68d1e4b44f90aa93dc0c1a

SHA1
5ba2cc887bc53f69ce4dcb993b8602b5b53e1acb

SHA256
c918551aced145610892ce52396fb22108b2522b79b2aeb5df7c39edca9934c2

SHA512
63f265ca34a5f7dce7f6a9ac11cb348fb4e00dea8c60d8da88094229da1e4735cb1d1393aec891111b0f0a9b8bf3d74486f86c8d2200eb69b91b0bacdba65dc4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM67D7.exe

Filesize
14KB

MD5
bcf4b6b6ee43494fa74a5d8dc9134740

SHA1
17424cef971e66e69b2cbbdc550115cf0a0e9a02

SHA256
c0b72123cc8891b6881fc419d940eb0f67d0c89d23f10edff6ee1c24e556f741

SHA512
298d17e61651124b76fdf16a0a07104e9bcdbd7fcd66052f0a315e6e07db5b3b734cbc13aeb7f3967274ef80e62d612fc97707b99957fb333fd974773b7949af

Download Submit
\Users\Admin\AppData\Local\Temp\DEM67D8.exe

Filesize
14KB

MD5
2ad91840f13bd99fb981be75ba8a8a7d

SHA1
b711f250683b3631ed3c76b093d162c4b6607bf0

SHA256
dcd032521800499239de747dca444a433eee1b67edea76705de1053b6972260e

SHA512
670254804515bf785f97fc7d6d2a1f845b68473f113c1752a852cc38e0ca12c7d15fbdf35a1d0918e24e72164c3bb4117d2b764f0ad49cb88a2507d0fb031439

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD18.exe

Filesize
14KB

MD5
835a23ccf7e9b054703f1956ca3d5e70

SHA1
3de1e1f59296d2d031354d4301fee8ae5317808c

SHA256
4912ae4249aaa18c93d8d0610c67374251fb2ae41097d8fc305542da3a0ca6a2

SHA512
4d1f34017e5cb7b6fe810fd2da6cc8b29c9c033bc1a368e549996c1583df8fc0d5ec7bd07064ece83c11f88ac1569f53497a490e1303ee0241426853dd246015

Download Submit

Analysis

Sharing