85f278c60a58914d77179ed82365c7ebb14fd89cda8d53a049183b8e93d7931d

General

Target

7ec4bf415fb1522e9cfa926be354b240N.exe
Size

15KB
MD5

7ec4bf415fb1522e9cfa926be354b240
SHA1

cec345a68f3e8e448d2f2b9deff0ebabd41b7ec2
SHA256

85f278c60a58914d77179ed82365c7ebb14fd89cda8d53a049183b8e93d7931d
SHA512

27568c94d51b1835603836f981a051ff62bee2bf872cbeae0cc9b97a2d3434c501887e3bd1def20958a3714f1079ab3f50455470fc643d4b33ea08800629e828
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl/:hDXWipuE+K3/SSHgxml/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2288	DEMB145.exe
2756	DEM676.exe
300	DEM5BA7.exe
1680	DEMB136.exe
1056	DEM6F3.exe

Loads dropped DLL 5 IoCs

pid	Process
2568	7ec4bf415fb1522e9cfa926be354b240N.exe
2288	DEMB145.exe
2756	DEM676.exe
300	DEM5BA7.exe
1680	DEMB136.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB145.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5BA7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ec4bf415fb1522e9cfa926be354b240N.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2288	2568	7ec4bf415fb1522e9cfa926be354b240N.exe	32
PID 2568 wrote to memory of 2288	2568	7ec4bf415fb1522e9cfa926be354b240N.exe	32
PID 2568 wrote to memory of 2288	2568	7ec4bf415fb1522e9cfa926be354b240N.exe	32
PID 2568 wrote to memory of 2288	2568	7ec4bf415fb1522e9cfa926be354b240N.exe	32
PID 2288 wrote to memory of 2756	2288	DEMB145.exe	34
PID 2288 wrote to memory of 2756	2288	DEMB145.exe	34
PID 2288 wrote to memory of 2756	2288	DEMB145.exe	34
PID 2288 wrote to memory of 2756	2288	DEMB145.exe	34
PID 2756 wrote to memory of 300	2756	DEM676.exe	36
PID 2756 wrote to memory of 300	2756	DEM676.exe	36
PID 2756 wrote to memory of 300	2756	DEM676.exe	36
PID 2756 wrote to memory of 300	2756	DEM676.exe	36
PID 300 wrote to memory of 1680	300	DEM5BA7.exe	38
PID 300 wrote to memory of 1680	300	DEM5BA7.exe	38
PID 300 wrote to memory of 1680	300	DEM5BA7.exe	38
PID 300 wrote to memory of 1680	300	DEM5BA7.exe	38
PID 1680 wrote to memory of 1056	1680	DEMB136.exe	40
PID 1680 wrote to memory of 1056	1680	DEMB136.exe	40
PID 1680 wrote to memory of 1056	1680	DEMB136.exe	40
PID 1680 wrote to memory of 1056	1680	DEMB136.exe	40

C:\Users\Admin\AppData\Local\Temp\7ec4bf415fb1522e9cfa926be354b240N.exe
"C:\Users\Admin\AppData\Local\Temp\7ec4bf415fb1522e9cfa926be354b240N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\DEMB145.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB145.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\DEM676.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM676.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\DEM5BA7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5BA7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:300
    - - C:\Users\Admin\AppData\Local\Temp\DEMB136.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB136.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\DEM6F3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5BA7.exe

Filesize
15KB

MD5
b913528b503ddc81da0d0749c48e4dd2

SHA1
a1f264a48498e21b58c68fd6efdb8bc45bb186ca

SHA256
b578c106c4996ff335cb9bebab8db2690a2032d6b6cd89082385504ba4a08c3a

SHA512
878d88f1ffe6a3f9c8cbe74a8b135321d8eab4d0b83f0a8f2b1470a8912294676e0952da62328a308207434312f4ff8078f0b91e92634986aad9ef3b159a88fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM676.exe

Filesize
15KB

MD5
0bbd09998df7bd4101046b33a89beebc

SHA1
c5580f1bd00902159deeaf01f3b0a512783403dc

SHA256
c5c6c49214716b163167aa9ac3102ff78c74b0c6419c90ff20d71de4d4791658

SHA512
b0718047b6aaa0bb97096cdb77605033ec1750ea11d38972d635a9cdbf237129b31ff2948aecb2ae6326922aa8a7c764c50bab2a1de9ec725fe9175ef1f5a89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6F3.exe

Filesize
15KB

MD5
5b5475db76dd02ca2fdfc0822f2808e3

SHA1
3b3eacc7c53f5b9013bd60b8b5e865b570740a6b

SHA256
aa05879f7fe7b73d8df3c28e7f7632f6e6173c7038760081b6e392dedcd3e1d3

SHA512
f72ef66a0a8c5d732b44f2376f5dbdd66adae9ed774d3b5ca430cce11c036144bc8d99e636364ed853560e8780c1bb7a16b4caa859c621f306c7adf1e43aaec1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB136.exe

Filesize
15KB

MD5
02befbd466f9ff39b3daf9e9073389ba

SHA1
678da6338dc86d79d4bc548a3ff78b7e2a921ec4

SHA256
2ab91624e21eefd2c7451654be079cb094b101ba78a438cc361c1f0ae2e708b3

SHA512
6eb8731386a29236cb9d8b168674fb5e1c125e87ccd7f4aec6fa7e2ca1f714ff9800383f1ef80ec524acae03baed3fd8d9ffc83167d2d36024211030125d0ff7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB145.exe

Filesize
15KB

MD5
e8d4f2247ac3c6b333bf852871d65239

SHA1
c091bf94d48472e3fd80a614aca1fa5418006347

SHA256
f3c85e710b19c1b098b55c6b8f6470ac0502f556edd2a5e5228ec9eb42eb3816

SHA512
5c8dd61c6c01989dd0787a398a4ee5e7449a6db323798fa0f529f6cb514527f939b8326273c1603124fc9dfd85db0a16521abf63e3522b1373f08ba814161ea4

Download Submit

Analysis

Sharing