e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df

General

Target

e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe
Size

15KB
MD5

81ed87a69f1718b501128ca25a56d6d3
SHA1

a3ba5dd346b3c296ba7d47e359c6c5db7809d6dc
SHA256

e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df
SHA512

787f953f6435cb69355e7ad3b1545d7b29773c67cfaaa7e0ac76305eadce87df37e0e525e15f9704f71ac98dab1612184e0f6ed85f6e30549c5d728f2e61a030
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhm:hDXWipuE+K3/SSHgxzm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1732	DEMDD45.exe
2664	DEM32E3.exe
2560	DEM8833.exe
1620	DEMDE00.exe
1956	DEM3350.exe

Loads dropped DLL 5 IoCs

pid	Process
2484	e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe
1732	DEMDD45.exe
2664	DEM32E3.exe
2560	DEM8833.exe
1620	DEMDE00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM32E3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8833.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDD45.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1732	2484	e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe	32
PID 2484 wrote to memory of 1732	2484	e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe	32
PID 2484 wrote to memory of 1732	2484	e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe	32
PID 2484 wrote to memory of 1732	2484	e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe	32
PID 1732 wrote to memory of 2664	1732	DEMDD45.exe	34
PID 1732 wrote to memory of 2664	1732	DEMDD45.exe	34
PID 1732 wrote to memory of 2664	1732	DEMDD45.exe	34
PID 1732 wrote to memory of 2664	1732	DEMDD45.exe	34
PID 2664 wrote to memory of 2560	2664	DEM32E3.exe	36
PID 2664 wrote to memory of 2560	2664	DEM32E3.exe	36
PID 2664 wrote to memory of 2560	2664	DEM32E3.exe	36
PID 2664 wrote to memory of 2560	2664	DEM32E3.exe	36
PID 2560 wrote to memory of 1620	2560	DEM8833.exe	39
PID 2560 wrote to memory of 1620	2560	DEM8833.exe	39
PID 2560 wrote to memory of 1620	2560	DEM8833.exe	39
PID 2560 wrote to memory of 1620	2560	DEM8833.exe	39
PID 1620 wrote to memory of 1956	1620	DEMDE00.exe	41
PID 1620 wrote to memory of 1956	1620	DEMDE00.exe	41
PID 1620 wrote to memory of 1956	1620	DEMDE00.exe	41
PID 1620 wrote to memory of 1956	1620	DEMDE00.exe	41

C:\Users\Admin\AppData\Local\Temp\e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe
"C:\Users\Admin\AppData\Local\Temp\e9650f6b6cc22034679308203d7d9fd97c5722571ec56b83e03d6a3903bdb7df.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\DEMDD45.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMDD45.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\DEM32E3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM32E3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\DEM8833.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8833.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\DEMDE00.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDE00.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\DEM3350.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3350.exe"
        6⤵
        Executes dropped EXE
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM32E3.exe

Filesize
15KB

MD5
075b55a92f5468038f865cd98841bfb8

SHA1
8e285e7f53792455115c0939b38df96973277e99

SHA256
e84ac1aa41768eb264fd3a2712f601846d56d5e8de47454169a3390eef9fb6bb

SHA512
3b1b30f162c23f12a103c87fec089ba3902a71943b7052deb2010db6482497420810881f6626b15968e489534059b58cade50d4dcac59325a9ed4284bc444c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDD45.exe

Filesize
15KB

MD5
b08edf4265c983d6c40b1f192ca8f330

SHA1
2eaa5d008f12de6fb3dba051b286c016ca9e0d7d

SHA256
49c0dde1e2d43059c997a278dc67a7020bcce07b4a45e49c37691ccfef89b309

SHA512
29b07f8744ea7bf3943a10c3385dcbbe28045c2cfdecaefdb38c01123ef53733f38e2672e388228a35f330f82b8680581224769170e73fcde99dcc9f01751be9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3350.exe

Filesize
15KB

MD5
0eda81e617be63cdecc0394a949b3e7b

SHA1
60d1637e50ac2ef8d1789615ac286da13dd5c258

SHA256
6fde95bf6c6f2aeedcce648d1a0c47268e4eed00047329939d136e9873642b9f

SHA512
c82a80791b3372860c4200320135707a57a2a62bc3b3b710d2171b8992acc40c2b761a53f6bc7ab8121893d746c72ce9e8b1f652ab783f64469d4b6cdbd8e3fb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8833.exe

Filesize
15KB

MD5
17c68d21a069a9fb27689faf1a8c9e99

SHA1
0d32c3e6208014a5852a470b0f1b2e7e7936f208

SHA256
4b571461ef94044b2b9e68285be58a6f9b58e25a9ea81524b3dbbdb8802a6aed

SHA512
0228d02b238387965711a3b51ac58c3d9cf0eeac0404c37d839b887b7ef40b3a38af17055b1e94a4ad2ce0e43dfaffad8558330b4b02827f958b4d95bffb24e2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDE00.exe

Filesize
15KB

MD5
919e0dcf287e2d7ee768b9f21d20f6d7

SHA1
81c9fec54a2f7dfc6ee6c1827782d3aa29e0bc55

SHA256
52b2e0ae1479e2740c3bf5f16a8f92b59d08e70fd175a0dd594e6d60ca886771

SHA512
d3d6a33d8d5e0f296602a9bd68b89f9e257d469c0afe52574112f1f79525ebefc4bce56410749ad8a112ede09a180c6e36cd34b05c4049cc22abfedc4da2ea99

Download Submit

Analysis

Sharing