9042ea5650fa90f9e763146070e00fbbee66b1b188588e2b90bd4cfdcaa12fea

General

Target

30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
Size

15KB
MD5

07682186ff5262862afd6db66e24c618
SHA1

ca2b56db50e2ea8fbb8dcfde5fa42d4937fbf842
SHA256

30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743
SHA512

d52cb3ee0e2f33bf518cebc079c2e1ad4b105d47d7d9252d3bd425ba1c09e231c5359f37a3498c9b2ee51544c66552f7cc7f7a7bd2e11115b776cbed9ef0f1d5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cn/H:hDXWipuE+K3/SSHgx//H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2752	DEM44DD.exe
2908	DEM9C6E.exe
936	DEMF2F6.exe
640	DEM497E.exe
1656	DEM9FE7.exe
2864	DEMF70C.exe

Loads dropped DLL 6 IoCs

pid	Process
3064	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
2752	DEM44DD.exe
2908	DEM9C6E.exe
936	DEMF2F6.exe
640	DEM497E.exe
1656	DEM9FE7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM44DD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF2F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM497E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9FE7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2752	3064	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	31
PID 3064 wrote to memory of 2752	3064	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	31
PID 3064 wrote to memory of 2752	3064	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	31
PID 3064 wrote to memory of 2752	3064	30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe	31
PID 2752 wrote to memory of 2908	2752	DEM44DD.exe	33
PID 2752 wrote to memory of 2908	2752	DEM44DD.exe	33
PID 2752 wrote to memory of 2908	2752	DEM44DD.exe	33
PID 2752 wrote to memory of 2908	2752	DEM44DD.exe	33
PID 2908 wrote to memory of 936	2908	DEM9C6E.exe	35
PID 2908 wrote to memory of 936	2908	DEM9C6E.exe	35
PID 2908 wrote to memory of 936	2908	DEM9C6E.exe	35
PID 2908 wrote to memory of 936	2908	DEM9C6E.exe	35
PID 936 wrote to memory of 640	936	DEMF2F6.exe	37
PID 936 wrote to memory of 640	936	DEMF2F6.exe	37
PID 936 wrote to memory of 640	936	DEMF2F6.exe	37
PID 936 wrote to memory of 640	936	DEMF2F6.exe	37
PID 640 wrote to memory of 1656	640	DEM497E.exe	40
PID 640 wrote to memory of 1656	640	DEM497E.exe	40
PID 640 wrote to memory of 1656	640	DEM497E.exe	40
PID 640 wrote to memory of 1656	640	DEM497E.exe	40
PID 1656 wrote to memory of 2864	1656	DEM9FE7.exe	42
PID 1656 wrote to memory of 2864	1656	DEM9FE7.exe	42
PID 1656 wrote to memory of 2864	1656	DEM9FE7.exe	42
PID 1656 wrote to memory of 2864	1656	DEM9FE7.exe	42

C:\Users\Admin\AppData\Local\Temp\30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe
"C:\Users\Admin\AppData\Local\Temp\30268acb928dd799b1ccfab33f9e91d75a6518725d50dabf2704299f48a8b743.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\DEM44DD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM44DD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\DEM9C6E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C6E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\DEMF2F6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF2F6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Users\Admin\AppData\Local\Temp\DEM497E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM497E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\DEM9FE7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9FE7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\DEMF70C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF70C.exe"
        7⤵
        Executes dropped EXE
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9C6E.exe

Filesize
15KB

MD5
1ae3bf852f977272942d6ca994fef7ea

SHA1
becba9e2566cb8aadd571bf49a5ae8e6f8725b3e

SHA256
f9a72e018b06d5af92db8375f4cc77e041c8f14798577ce331063b4e00aadd5a

SHA512
0ef08c23c219a58ff0c4daa5dba79f9837677a8576a51ae97bc28962962602e10a9e47c7cb3d61715a1a3c1acf430e60568bd99bbb0ae3fe6f2e10628def1208

Download Submit
\Users\Admin\AppData\Local\Temp\DEM44DD.exe

Filesize
15KB

MD5
69ebba48689e3157a64c97af896b9f68

SHA1
1a7f2aad783d1aa18f3afd6dd84d3a28b092484d

SHA256
bd23d024872c63c94a5f97b4d64b4b78e36000bad1f46087e57ba2ca6ed02c32

SHA512
8e35fe2f1767a9089533877ec315826013f3750b1e3aa19b16fa6193cc7556c3c6b31a67629d81e4b43050866a2526e8ba88f2c5399d8a2b4db28e870141ce1e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM497E.exe

Filesize
15KB

MD5
786a69b2dca869c471f4c06c07d37660

SHA1
0257a8ac18c14b2dcf67bfc6c7006c703df4fd37

SHA256
f3ef9a995e7da28cabdee21ec33cc336ecb3cb2b8f48d02c7b37f61b11f914c9

SHA512
ef86771e5d49ce11be340891e7a997f48d17f80d146d874b674155ceaab023a94158a66f93670f175b7e2731bbbd920c202af834cb2e46e857e2a3b3497fe4c3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9FE7.exe

Filesize
15KB

MD5
f6c186b0d9bec800d6f6cb95d0800a5e

SHA1
3a6f1223de4fbeab0eeee45e821aceac292a8795

SHA256
d0b2a2206893229250aa26ed25a65de6c6dd056c667595372514b55bd257f864

SHA512
550d538dec043561232463fe3bfc7727f4c32b9e45bd858cb68f69d855f1c7710d1570c15debe70226f31a9a9a76299291168eb3628ca1c07f83d442d26a98b4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF2F6.exe

Filesize
15KB

MD5
02694b988ef0fb0ee37bc3f1d6047d78

SHA1
534c04c7ef516ebdd377059251963d69ed5ad121

SHA256
9a3453423175fddb7b397096cb09e9e50dbfc0c2210e0a9fd5fe107ac864ba03

SHA512
5d526accd83f5407c70c1f91c60e777b44301ba8da29f6fbd25170766f09e2f9685ca16770eb2d70e661753fa84f3882403f9ec113ae46f60231447a8626df07

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF70C.exe

Filesize
15KB

MD5
4c4c40183365c1b4fb441161939a9e75

SHA1
156d7c51f1d0f63d97c26ad3cdddb4011c8da522

SHA256
348b0b31df1a69fc390c882f6ae1554d4ed6eca55224bdd7773abdacc96d0419

SHA512
6d48bf5a4614660c2705370492e2ceb3ba0f60db52066f7c941e94a4b57e11d4de00e8a13725f83e614159ed01d50be29731c2ae6ad449f42c4dfef37228630f

Download Submit

Analysis

Sharing