8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1

General

Target

8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
Size

16KB
MD5

98665a7df8a6deed28eff6c6cc856e7e
SHA1

3df80212cfca6d98a4ec48c4224a097ab97fe30a
SHA256

8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1
SHA512

684291cbd8c88bda833b69a3b1be4c182b589f616e5fdf0ca645eea56c07b8423f48da0163b760bf55317206c0dc40a47bbe57fb9d000bae395f31183f46270e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0Fg:hDXWipuE+K3/SSHgxm0W

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2560	DEMF0C5.exe
2624	DEM45F6.exe
2912	DEM9B55.exe
1400	DEMF103.exe
2900	DEM4634.exe

Loads dropped DLL 5 IoCs

pid	Process
2008	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
2560	DEMF0C5.exe
2624	DEM45F6.exe
2912	DEM9B55.exe
1400	DEMF103.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF0C5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM45F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9B55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF103.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2560	2008	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	31
PID 2008 wrote to memory of 2560	2008	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	31
PID 2008 wrote to memory of 2560	2008	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	31
PID 2008 wrote to memory of 2560	2008	8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe	31
PID 2560 wrote to memory of 2624	2560	DEMF0C5.exe	33
PID 2560 wrote to memory of 2624	2560	DEMF0C5.exe	33
PID 2560 wrote to memory of 2624	2560	DEMF0C5.exe	33
PID 2560 wrote to memory of 2624	2560	DEMF0C5.exe	33
PID 2624 wrote to memory of 2912	2624	DEM45F6.exe	35
PID 2624 wrote to memory of 2912	2624	DEM45F6.exe	35
PID 2624 wrote to memory of 2912	2624	DEM45F6.exe	35
PID 2624 wrote to memory of 2912	2624	DEM45F6.exe	35
PID 2912 wrote to memory of 1400	2912	DEM9B55.exe	38
PID 2912 wrote to memory of 1400	2912	DEM9B55.exe	38
PID 2912 wrote to memory of 1400	2912	DEM9B55.exe	38
PID 2912 wrote to memory of 1400	2912	DEM9B55.exe	38
PID 1400 wrote to memory of 2900	1400	DEMF103.exe	40
PID 1400 wrote to memory of 2900	1400	DEMF103.exe	40
PID 1400 wrote to memory of 2900	1400	DEMF103.exe	40
PID 1400 wrote to memory of 2900	1400	DEMF103.exe	40

C:\Users\Admin\AppData\Local\Temp\8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe
"C:\Users\Admin\AppData\Local\Temp\8e9bc6f9b5e1dc695ed1f295cd9efac4ba884985962979e4b0977e2e8f62bfc1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\DEMF0C5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMF0C5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEM45F6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM45F6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\DEM9B55.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9B55.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\DEMF103.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF103.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - C:\Users\Admin\AppData\Local\Temp\DEM4634.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4634.exe"
        6⤵
        Executes dropped EXE
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM45F6.exe

Filesize
16KB

MD5
1921884ac2fdb98721caddddb6d34e76

SHA1
1c9dc6e7d05585350e488c0af8387646e907972d

SHA256
4c5678db6e5fcd7b5f1189a2f5a9203ba0548d16c4d9a22ba4b0006937d8d56b

SHA512
c9e9b1eae4f62894e02198d5c9d1605001219189692ce431e614b424d76f152f05336c800841c5e8d9493914cafdc283ca3baf86878cca52a6d0f2f94480a2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF0C5.exe

Filesize
16KB

MD5
4d8cd6ed8c6b3b63af29254890fdd8ab

SHA1
c054f675a08c5dc8f879a3044a826cc7d247b6f1

SHA256
389bf92221bdc85b7da5d998f0ec333267b2074b927bfc7bc1140c03cf7f1d2a

SHA512
3e4400dae2fca4921cd0b3df12e2adc0d7d18b74f576ff4fd48bcd1b0f6beec0fc9468a1b6d8356bb2153937e52270af78ad781aa4e0abc21d0e057fb16cc379

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF103.exe

Filesize
16KB

MD5
605100f0f152f9066d2e70c7a9708677

SHA1
dd40b4df80bf67b80ac6eb870423e580b5cba34f

SHA256
379e9555e55888ec6558051daf4978d5146ea7a397d34997cb5a5716fa2ec5dd

SHA512
43371b0fb048e424a0bc63f13b59a66a45ba5999de749ff8384d4b61fcd2378d1e68f51c3b030ba97d428a4f1d528876964586a1bc34cedc9835b9d2fe7ccd1b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4634.exe

Filesize
16KB

MD5
dfa098e429d98f072d37ed76111fd758

SHA1
a24c3602eb1b72247c9bdca763b14eee7b253c12

SHA256
5c242dfdf7e4106c0a74bb52a01560d33c40e13df5836d5670372ae462b8c75b

SHA512
5b4e2e3a55461d4c2e0e292cf27054c655ed14b3eb57d6a043062e3b8d88d9c21f2daedef502639b9f68fe46232cc529a776dc41c2e65b6522d6aaaeb250f243

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9B55.exe

Filesize
16KB

MD5
998de33a63fd6898af2391674217f3cd

SHA1
a059e0fdc5b3fa511d4a2f4f9575cf39049245b5

SHA256
4df001a05adb08b57f7d068a8d5b60b007cccbe7f9e12cadff88b3ff1b2153aa

SHA512
895c1d36352d93662c18885d7170d403bb01460f2b479ed9f8413df8c5a4e122985639d1fe3bd903f6f71a7bda535b72c16a4a7bb80e8a128e7382bbcb37ef66

Download Submit

Analysis

Sharing