115a26f15e50fb2b977785b0e735593e022c7c5471d5618e6c5ab5c362d0e711

General

Target

f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Size

16KB
MD5

016ecdb9876c5124ed326acaebcf76c7
SHA1

866ceda0b453db4587f2d9e167ab6218462ca21d
SHA256

f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097
SHA512

e489c83ce455c93039be37d873c87a650847f0c635a65cf984d9b177a7898c787200d3c3f5a4621097604b234ce34fa8817fac795fd6b0f2a9d5161493e80aed
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYld:hDXWipuE+K3/SSHgxmld

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2708	DEMDD83.exe
1968	DEM32C4.exe
2868	DEM87C6.exe
1964	DEMDCE7.exe
2040	DEM3208.exe
1268	DEM8843.exe

Loads dropped DLL 6 IoCs

pid	Process
2196	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
2708	DEMDD83.exe
1968	DEM32C4.exe
2868	DEM87C6.exe
1964	DEMDCE7.exe
2040	DEM3208.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3208.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32C4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM87C6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDCE7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2708	2196	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	32
PID 2196 wrote to memory of 2708	2196	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	32
PID 2196 wrote to memory of 2708	2196	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	32
PID 2196 wrote to memory of 2708	2196	f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe	32
PID 2708 wrote to memory of 1968	2708	DEMDD83.exe	34
PID 2708 wrote to memory of 1968	2708	DEMDD83.exe	34
PID 2708 wrote to memory of 1968	2708	DEMDD83.exe	34
PID 2708 wrote to memory of 1968	2708	DEMDD83.exe	34
PID 1968 wrote to memory of 2868	1968	DEM32C4.exe	36
PID 1968 wrote to memory of 2868	1968	DEM32C4.exe	36
PID 1968 wrote to memory of 2868	1968	DEM32C4.exe	36
PID 1968 wrote to memory of 2868	1968	DEM32C4.exe	36
PID 2868 wrote to memory of 1964	2868	DEM87C6.exe	39
PID 2868 wrote to memory of 1964	2868	DEM87C6.exe	39
PID 2868 wrote to memory of 1964	2868	DEM87C6.exe	39
PID 2868 wrote to memory of 1964	2868	DEM87C6.exe	39
PID 1964 wrote to memory of 2040	1964	DEMDCE7.exe	41
PID 1964 wrote to memory of 2040	1964	DEMDCE7.exe	41
PID 1964 wrote to memory of 2040	1964	DEMDCE7.exe	41
PID 1964 wrote to memory of 2040	1964	DEMDCE7.exe	41
PID 2040 wrote to memory of 1268	2040	DEM3208.exe	43
PID 2040 wrote to memory of 1268	2040	DEM3208.exe	43
PID 2040 wrote to memory of 1268	2040	DEM3208.exe	43
PID 2040 wrote to memory of 1268	2040	DEM3208.exe	43

C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
"C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDD83.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\DEM87C6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM87C6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\DEMDCE7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDCE7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\DEM3208.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3208.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\DEM8843.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8843.exe"
        7⤵
        Executes dropped EXE
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3208.exe

Filesize
16KB

MD5
0f3933e15b45687fb777a101c83a55d4

SHA1
d1b9a5ced7e815d8ab76b44f8f227f24a8cda3ef

SHA256
e7a5da9ab92f935e9399b837cd6c6dffa4a58321df301571125d03ed41ff1ab4

SHA512
45fe2fed38159bd13c69d7505d991fdfc7303ff84c17682ad94337ae1f630ce9839f4db1c2809f71e5f96da25537877dc6d724c7105e06747d98505de404b3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM32C4.exe

Filesize
16KB

MD5
32a23c8381240b7425b76ac0f20126a3

SHA1
c65fbf220060ceda524f04f21db747e355f92aba

SHA256
56a2a955ad0247ad8b5ebbf08bfb10ff7d92bf07a3b032b39848fb6e56a66e3f

SHA512
6c6f12dc84ffc5722de926a111d734b7f57d74be621b5b1908a5ec23354d10c8e192b317e7e1e17ccb180b489637a1e3d2b51abdba1e846f79b6201acf73699f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM87C6.exe

Filesize
16KB

MD5
f383fcab10f4b642288dbb308fc412cc

SHA1
2df407f41dd146839a7405985a39858c9cedbfa9

SHA256
52f0116abfdf0c687fc8a86907c268a62f037e94a2fcfba741154725d13c7f06

SHA512
32dd93fc3a8f38b3987f286a72c060cf7b20ea6346c8304afa930436002726b265ae9a95c9c0ab3644954d8cf8a64c9d6b9e5c3041ffa29a77bfbd0d6bcef6f2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8843.exe

Filesize
16KB

MD5
6a07000f2c230347ea8332c6fd10bf4b

SHA1
d226a0286293582de2d7faf9c4a6ce5b6b5adc0f

SHA256
b32bd180dc6473ea5ba184ab2173397fdbc72d7ba2a837f5fbb2e416bbcedbdb

SHA512
3602c0b21c8e59fc8107b1318c789723b5c0fb85f939fb3871a10b02b5c3b243480fa4c3e5c5c1fb91ed23ee00a3c19f7dcec79e9190207a16baaceed5d2ffe4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDCE7.exe

Filesize
16KB

MD5
069be68b5f968e230c4ee302db746d13

SHA1
f18ed1343f11c65941df18207fd0cd92506cd6a7

SHA256
f9b4c9c97559430c8acb416c1e1521163554536c339b262f368163bad8787ef9

SHA512
bd56dfbf8ca056321eac1c0dcad4a8ff6d951cdc643b7ec2921984b02d20cb2997df43fedc0308c5436c13fa0d5fa61ae6c4c1188c8466878440ba0377aa03fe

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDD83.exe

Filesize
16KB

MD5
8a146bb97037320c719d841ff446fcf5

SHA1
cf41de21fbfd1457b40e97ef6161844a2401709a

SHA256
bc318bbebb04ac31e2956da2daf085ae9a6173cbc81499ba2c6ddfa412d58005

SHA512
86ec77ba569daeba48fee42a8a06f2e93be1f23b82b87d8c77da545590c9e175b1e8ad43842767661c9f9f9db6a3857d0496756b4a19a3e2483d55dcee06eaef

Download Submit

Analysis

Sharing