f63390d8a7c47295bfe5ec980bf05e45f5267e223d3c1d4ded153e8c348e68ee

General

Target

d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe
Size

16KB
MD5

9e46230c789b8a09fcac100c09cb3582
SHA1

75665fb2aa80eb940ce9d6f51e23fa9c38e34a38
SHA256

d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2
SHA512

bbf6232f1981e255e27c40e9b554dd2f4801b89180bd0fed16a53a74546814cc4ae2d0af95ce8cda3d28b9b0121184ecc983eb8f7213c339ba04c66bb96fe667
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYETPq:hDXWipuE+K3/SSHgxmOy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2868	DEM66AF.exe
656	DEMBC5D.exe
2124	DEM119D.exe
1396	DEM66DE.exe
760	DEMBBD0.exe
2312	DEM10E2.exe

Loads dropped DLL 6 IoCs

pid	Process
2848	d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe
2868	DEM66AF.exe
656	DEMBC5D.exe
2124	DEM119D.exe
1396	DEM66DE.exe
760	DEMBBD0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM119D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM66DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBBD0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM66AF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBC5D.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2868	2848	d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe	31
PID 2848 wrote to memory of 2868	2848	d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe	31
PID 2848 wrote to memory of 2868	2848	d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe	31
PID 2848 wrote to memory of 2868	2848	d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe	31
PID 2868 wrote to memory of 656	2868	DEM66AF.exe	34
PID 2868 wrote to memory of 656	2868	DEM66AF.exe	34
PID 2868 wrote to memory of 656	2868	DEM66AF.exe	34
PID 2868 wrote to memory of 656	2868	DEM66AF.exe	34
PID 656 wrote to memory of 2124	656	DEMBC5D.exe	36
PID 656 wrote to memory of 2124	656	DEMBC5D.exe	36
PID 656 wrote to memory of 2124	656	DEMBC5D.exe	36
PID 656 wrote to memory of 2124	656	DEMBC5D.exe	36
PID 2124 wrote to memory of 1396	2124	DEM119D.exe	38
PID 2124 wrote to memory of 1396	2124	DEM119D.exe	38
PID 2124 wrote to memory of 1396	2124	DEM119D.exe	38
PID 2124 wrote to memory of 1396	2124	DEM119D.exe	38
PID 1396 wrote to memory of 760	1396	DEM66DE.exe	40
PID 1396 wrote to memory of 760	1396	DEM66DE.exe	40
PID 1396 wrote to memory of 760	1396	DEM66DE.exe	40
PID 1396 wrote to memory of 760	1396	DEM66DE.exe	40
PID 760 wrote to memory of 2312	760	DEMBBD0.exe	42
PID 760 wrote to memory of 2312	760	DEMBBD0.exe	42
PID 760 wrote to memory of 2312	760	DEMBBD0.exe	42
PID 760 wrote to memory of 2312	760	DEMBBD0.exe	42

C:\Users\Admin\AppData\Local\Temp\d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe
"C:\Users\Admin\AppData\Local\Temp\d72e82a9bbbb97a0dc79a669c2f0e1e0b9ec7d6fb2bb2e71056fdf7e07d223c2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\DEM66AF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM66AF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\DEMBC5D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBC5D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\DEM119D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM119D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\DEM66DE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM66DE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Users\Admin\AppData\Local\Temp\DEMBBD0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBBD0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe

Filesize
16KB

MD5
84cf946d6fc714ffcc50744fe6a71ae7

SHA1
f260119cf54243e7765e122480fb41cf7ac9d8f6

SHA256
470b210b5fb8c13fe41ee1b0e966ff00052c6b22587ad3c604581f77fb55377a

SHA512
0820ca6d6a866444147c832cdc0a5852f1c6d3dcef3093007de12127fd724c0a2729a99e4d30dc33972959c983224b0a59c7056ef7f8f9163ef37898fe539fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM66DE.exe

Filesize
16KB

MD5
13a79caa98d8904b4208e782284449b8

SHA1
e76c4bed0e4eedd575a1b2d52c9f0c0e35f95482

SHA256
d305be573f5826430b7f00def5266a1c264f7f48d8cbd7ca70d20dd99f718063

SHA512
25e5ec6319a95dcc03870bca08803b29ec0911623ba358f20ce46d82daf84f6573487a4004b33cb877d859c8266e43032011f0c4888257461c97efd7f33b803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBBD0.exe

Filesize
16KB

MD5
ae283e496a558fbcf2bce363a99b318e

SHA1
d55db6c6920c3cf8640d9cfca1b736d4f76a2c73

SHA256
e8eb0ed19d0d9f094a58049255ddd1bc804ef8e11e110455da8ca895ad731054

SHA512
b387f74ee5f3f9315c1b021d8be9edafe31964e0d52677fd8b03741d509c259a7e9ba14428c9887e7886d2a0a0cabf9d06807c8a59410f63c9fe3a302149e6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC5D.exe

Filesize
16KB

MD5
ff133271c54a40c1e5ecdfeb5f39de86

SHA1
12a423ab23f76480b7a84816ef13439927cd00f3

SHA256
35b65260549b47a4622db121f0fd676eb37b6a75f1ee98ef9b0d60943b1b2646

SHA512
3a0fb2875243394ab2a72e087a2c9462a8f41db95dfc041201dd978a33ba413e5f4a2b4a17b538f7e2351c11d519c6c71d1f0f4da19fb9f70a80fff7d9ad7b2f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM119D.exe

Filesize
16KB

MD5
36c83d28df67f697f78154760af8985d

SHA1
c8027dc29aa24fd50e0274405aa5bee391ea52a0

SHA256
3c8d931896b1d0e3478190b1df83354bf3397f5c36a1f9464a906bef47e3de2f

SHA512
3481ad8bab49493e9c8e430043b2ecaa3152b8c29fa47bce3d7238574b49f7b8a0d879fc24cb236f34ba4a331ea32ad033f961c4d1729452e45d675211c445d9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM66AF.exe

Filesize
16KB

MD5
f62adfeabd081cdee2cd75f253c572b4

SHA1
7fb306657408f522ad873d378ccd03148f02505e

SHA256
919a7335fa58c4e6a1bb0444e9c4d1427ccbb3427be8130e7e2fe9afe1db60d3

SHA512
3b1854637a6a079e8639f7ab9524a43d9c5951aeffe7499765de771ae3ecdfe5598df0d89e1be276d5a98239ae1a40527689f2cbd105ead0c949d82b982dbc0e

Download Submit

Analysis

Sharing