1079163da0ce8224e90265f476771329276d2b2135c9df28720e85ee5bc608fa

General

Target

4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe
Size

14KB
MD5

36dfd2ae0756140df3f197a551c338eb
SHA1

f68fc3cc343b8df780b3e63162e79411f24c6921
SHA256

4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80
SHA512

cec3d2d0b1317d00281f9685bdd3c600540b7c83491351cf7f55ec7b721f0ebf0e8223023be494d691aa77300ad967e7e9ab11e887a8d6d2dbad83c6485ec265
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RAnw:hDXWipuE+K3/SSHgxX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2220	DEMB50D.exe
2592	DEMA3E.exe
2848	DEM5F6F.exe
1800	DEMB4CE.exe
1624	DEMA3F.exe
2424	DEM5F7E.exe

Loads dropped DLL 6 IoCs

pid	Process
2296	4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe
2220	DEMB50D.exe
2592	DEMA3E.exe
2848	DEM5F6F.exe
1800	DEMB4CE.exe
1624	DEMA3F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB50D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA3E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5F6F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB4CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA3F.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2220	2296	4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe	32
PID 2296 wrote to memory of 2220	2296	4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe	32
PID 2296 wrote to memory of 2220	2296	4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe	32
PID 2296 wrote to memory of 2220	2296	4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe	32
PID 2220 wrote to memory of 2592	2220	DEMB50D.exe	34
PID 2220 wrote to memory of 2592	2220	DEMB50D.exe	34
PID 2220 wrote to memory of 2592	2220	DEMB50D.exe	34
PID 2220 wrote to memory of 2592	2220	DEMB50D.exe	34
PID 2592 wrote to memory of 2848	2592	DEMA3E.exe	36
PID 2592 wrote to memory of 2848	2592	DEMA3E.exe	36
PID 2592 wrote to memory of 2848	2592	DEMA3E.exe	36
PID 2592 wrote to memory of 2848	2592	DEMA3E.exe	36
PID 2848 wrote to memory of 1800	2848	DEM5F6F.exe	38
PID 2848 wrote to memory of 1800	2848	DEM5F6F.exe	38
PID 2848 wrote to memory of 1800	2848	DEM5F6F.exe	38
PID 2848 wrote to memory of 1800	2848	DEM5F6F.exe	38
PID 1800 wrote to memory of 1624	1800	DEMB4CE.exe	40
PID 1800 wrote to memory of 1624	1800	DEMB4CE.exe	40
PID 1800 wrote to memory of 1624	1800	DEMB4CE.exe	40
PID 1800 wrote to memory of 1624	1800	DEMB4CE.exe	40
PID 1624 wrote to memory of 2424	1624	DEMA3F.exe	42
PID 1624 wrote to memory of 2424	1624	DEMA3F.exe	42
PID 1624 wrote to memory of 2424	1624	DEMA3F.exe	42
PID 1624 wrote to memory of 2424	1624	DEMA3F.exe	42

C:\Users\Admin\AppData\Local\Temp\4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe
"C:\Users\Admin\AppData\Local\Temp\4b54baf3ec870bc96751bd8fa25ef2e2f2dc30f19f386ff446cdc7b251f06c80.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\DEMB50D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB50D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\DEM5F6F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5F6F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\DEMB4CE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB4CE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\DEMA3F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA3F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5F7E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA3E.exe

Filesize
14KB

MD5
970a78a80d3dd886c430e7bb65a3e891

SHA1
9ed24c33cdd9a35551762971ce75b0d81e536214

SHA256
cab2175bddeb21e6b903aab19ffe89b5afa511b50061a58b57e5bc15787a213b

SHA512
d94e549108e5ff26a545e10ba7a5fc7c073ed5160e8311f793b44b73342e436fa34078fbdabdea821dc58d2773d8f3803f06524a5d7fd129ec91a49100b76b15

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F6F.exe

Filesize
14KB

MD5
be1b7eed46acfc75e20ce6716c02d2b4

SHA1
24760df2aebd0c64167333bb581f6b6fdeb6dd5e

SHA256
b2fb807eafb9612981cd49e34d2bb2bc290b3fc986a191c03ea0319855d8a444

SHA512
5ec0e21e0fb34de95a60450ad8a9a4c75cd1ca9ddf52a214f9a8cb8ea422bfe0bec9572afa1b61912bc0fd363753291b8b08d235bde4d7f425374dfad43432d5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5F7E.exe

Filesize
14KB

MD5
a7ca54a6c058f8cc7d4ee36ee2f60f4c

SHA1
483b7736fd87a310e685191abbd23bbc4c1fee8f

SHA256
5f3904ad9ab7267b2a197d2f885857805c7295c9df5e4cf0908c256325f3ec1d

SHA512
e33dc36c1bb332755eab26cbd0ead191819170a344d03d3bf3ce9e243ab843ae3afe35d42aa9f5f3595c80d26325d8cf8d153637ae035f2a69a5cf22b50175c6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA3F.exe

Filesize
14KB

MD5
407f3e05d8316033aa78afd076156559

SHA1
b0dc1d0817e963246d7ae7df9721a42ea22c10ff

SHA256
b828f176a56fa7cdcdc50e85a12bc84befedd085fb583594bbb609cf6e9d28b2

SHA512
5dbdd52612bbe5955eeb29f81cd1f9cba35171dba2fee0dea1c010113f50cca3380843c7547cc3956afba18730eecc81d7d0918809139f680924d6a1da8ba4bf

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB4CE.exe

Filesize
14KB

MD5
ad815c8e738e94dc7a0603c7b82cb4c1

SHA1
1fec4f9e107a6381fe365f4d6986cd229dae50cf

SHA256
5d8f3b725948563b205c99106905a015f1fb54bec2e201cfe627189bc2727236

SHA512
72146d8e19df536714bd85101a1a5d9b643b6be7f1ae9c096b7a1006abd1805861ea1a044b7dc6f76cb9c9209a3efa73725cb4345cf8f7025da092b93285647f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB50D.exe

Filesize
14KB

MD5
d2f56aae45a79b5759a50f1081a192c6

SHA1
346a2363289a92be3d5bece8620ad1ad12b7eedf

SHA256
160e82952db0edf15d073779c7e90cf4252720844c63c1f12b378ccc51a5a358

SHA512
e67c0a1f0d4cd9bd3027f116c87b876b8bf1604d52be05333ccce48c292713d2dc6f8d9eabc2b6b8c5c6f71cb793dda86139fdadab7965b3825a7d93faf4fa7b

Download Submit

Analysis

Sharing