f6d46a99b34de23d3d1a7f150a5482154cbd0207284504d603ec29eff2161ec1

General

Target

731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
Size

16KB
MD5

de096a0b4d1e4ec6e1264561db544138
SHA1

bcad7bb9591ce4a46cb89b97038754774a84b04a
SHA256

731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2
SHA512

7d480a44b36a5a43fc22022205ac936216b6423e7d2fe4b224461fe544c53f55b2a6ced5746809b66672c8cf1a9ba2a57e679742db838b67137492d15ee1ffd6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY44EA1H:hDXWipuE+K3/SSHgxm5Z1H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2472	DEM9C9D.exe
2896	DEMF1DE.exe
2680	DEM470E.exe
1172	DEM9C20.exe
1540	DEMF122.exe
580	DEM4653.exe

Loads dropped DLL 6 IoCs

pid	Process
632	731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
2472	DEM9C9D.exe
2896	DEMF1DE.exe
2680	DEM470E.exe
1172	DEM9C20.exe
1540	DEMF122.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM470E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9C9D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF1DE.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2472	632	731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe	32
PID 632 wrote to memory of 2472	632	731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe	32
PID 632 wrote to memory of 2472	632	731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe	32
PID 632 wrote to memory of 2472	632	731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe	32
PID 2472 wrote to memory of 2896	2472	DEM9C9D.exe	34
PID 2472 wrote to memory of 2896	2472	DEM9C9D.exe	34
PID 2472 wrote to memory of 2896	2472	DEM9C9D.exe	34
PID 2472 wrote to memory of 2896	2472	DEM9C9D.exe	34
PID 2896 wrote to memory of 2680	2896	DEMF1DE.exe	36
PID 2896 wrote to memory of 2680	2896	DEMF1DE.exe	36
PID 2896 wrote to memory of 2680	2896	DEMF1DE.exe	36
PID 2896 wrote to memory of 2680	2896	DEMF1DE.exe	36
PID 2680 wrote to memory of 1172	2680	DEM470E.exe	38
PID 2680 wrote to memory of 1172	2680	DEM470E.exe	38
PID 2680 wrote to memory of 1172	2680	DEM470E.exe	38
PID 2680 wrote to memory of 1172	2680	DEM470E.exe	38
PID 1172 wrote to memory of 1540	1172	DEM9C20.exe	40
PID 1172 wrote to memory of 1540	1172	DEM9C20.exe	40
PID 1172 wrote to memory of 1540	1172	DEM9C20.exe	40
PID 1172 wrote to memory of 1540	1172	DEM9C20.exe	40
PID 1540 wrote to memory of 580	1540	DEMF122.exe	42
PID 1540 wrote to memory of 580	1540	DEMF122.exe	42
PID 1540 wrote to memory of 580	1540	DEMF122.exe	42
PID 1540 wrote to memory of 580	1540	DEMF122.exe	42

C:\Users\Admin\AppData\Local\Temp\731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe
"C:\Users\Admin\AppData\Local\Temp\731ec5dda7fcfc5bda31e8609ec286049d26fa12cf7707d50197a468590c2ee2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\DEM9C9D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9C9D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\DEM470E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM470E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\DEM9C20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C20.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Users\Admin\AppData\Local\Temp\DEMF122.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF122.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\DEM4653.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4653.exe"
        7⤵
        Executes dropped EXE
        
        PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMF1DE.exe

Filesize
16KB

MD5
62097c983cf2c1fec7183777c5b14f78

SHA1
6e4d3255bd0fe7ac761931d5a0af428ed611cd96

SHA256
8175e5e4068570a9fddf73140a4d7854da0dd7e27a9faf6d5c010e0a57094779

SHA512
7cdf3917d905c82ad3aae9b3feeec1a580df79682db99a6634787a0f6cf448511c986471aead2ac197dbb9967e2ec3995caee63e11b6b1cb29f858169fb7a1fd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4653.exe

Filesize
16KB

MD5
a600127bf8e15b9aa02aff238f8123d9

SHA1
57626966c22f86ebb3d9eee273514b42a64e3789

SHA256
5911e553a6e53722816ddcd264f4a424bdc976d412035003bac32cf8f29f7ffd

SHA512
6d841d38d09e32011e4c9e95deb5b82209ee0717d594707d3277cb85da77fd7d6d22bba7487704b668ad5c26def0017e402127738bdff82ae4ecdd02031aa5ac

Download Submit
\Users\Admin\AppData\Local\Temp\DEM470E.exe

Filesize
16KB

MD5
deb89f21a4d47838f1c9a5c6fd0c927a

SHA1
a5d9ccee59139294c55fb9e566f76281b80434ab

SHA256
abbd77a745c2c2aac8812a07dc28773b3ee818d575497051d6cd09dbe003a6de

SHA512
0879d32f339a7aa908dcc3d84a24a79c116976fa813c967d2080c63f8b1d391984deaf9ccaecb2316dd33e74a495ba25ada1998f2fdb07a8b59f1800abe229ba

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C20.exe

Filesize
16KB

MD5
9b06a97cfc6f9f04575a3d1debed51c2

SHA1
0d02609991f66aacc2da35339743ff451c4ab161

SHA256
877dfb08046a6584a994130a99e46ce93e500857f28ac663b834a2fa2470d209

SHA512
537855984fa2a6725bba9e3c1d8f702a72f3b2ed343c3900d1e21759c2dba5c100b0e009438ed44c44c7aacb05083de3bea2abc72541a0b1d7068d9aac17368f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C9D.exe

Filesize
16KB

MD5
3357fe1c721f64c9b3632cacd818e019

SHA1
b9eac487c2414728ff90aa9864b28ee71e126728

SHA256
b363ac8f10e4872b80a9dc2b59a19e9498300713135c1cc129819d6140a134c4

SHA512
9a5201d2e2947515f0e7190c2bd4707029b38934ba2abdea37b13a7d893d0e4ed563fcccb3f776cd73c8ef08178c387a9fdcf36efcdc5f16e704e637217c6cf8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF122.exe

Filesize
16KB

MD5
8eb42cc16dc7e59ebe39018e3998e8ca

SHA1
40c7e1b8f799251a32efa4f1336497e2764a5057

SHA256
b317f71228e006391bd2dc1ec5d13d636c8a51af6fa6b4a5973372d0bf07a03f

SHA512
6779759e98ed369926bfcc8afd81966bc1a4aaaac5a68b95a9e80450eb7ca00aa139fc367f275e486890f9d589080bfd9ff45b9b5fb47ce033de08f55b95b012

Download Submit

Analysis

Sharing