af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6

General

Target

af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe
Size

16KB
MD5

a2615f7e4767c5cc075dd16a0d72fa7c
SHA1

eaca1d625ccbc9e4d13baa551d207ddd09d7753a
SHA256

af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6
SHA512

d5b3a48b09888480d0a8f9539c4d72c7844d14052c181dccb1812e9f8b889c8ba6ceeb4996a1cdaca11fae10ec752f937b46b1cf668d7dd6cd0fa096a56726c7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh3V:hDXWipuE+K3/SSHgx/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2996	DEMEFBC.exe
2720	DEM4615.exe
1724	DEM9D77.exe
2304	DEMF373.exe
2400	DEM4A1B.exe

Loads dropped DLL 5 IoCs

pid	Process
3004	af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe
2996	DEMEFBC.exe
2720	DEM4615.exe
1724	DEM9D77.exe
2304	DEMF373.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9D77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF373.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEFBC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4615.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2996	3004	af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe	30
PID 3004 wrote to memory of 2996	3004	af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe	30
PID 3004 wrote to memory of 2996	3004	af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe	30
PID 3004 wrote to memory of 2996	3004	af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe	30
PID 2996 wrote to memory of 2720	2996	DEMEFBC.exe	32
PID 2996 wrote to memory of 2720	2996	DEMEFBC.exe	32
PID 2996 wrote to memory of 2720	2996	DEMEFBC.exe	32
PID 2996 wrote to memory of 2720	2996	DEMEFBC.exe	32
PID 2720 wrote to memory of 1724	2720	DEM4615.exe	34
PID 2720 wrote to memory of 1724	2720	DEM4615.exe	34
PID 2720 wrote to memory of 1724	2720	DEM4615.exe	34
PID 2720 wrote to memory of 1724	2720	DEM4615.exe	34
PID 1724 wrote to memory of 2304	1724	DEM9D77.exe	36
PID 1724 wrote to memory of 2304	1724	DEM9D77.exe	36
PID 1724 wrote to memory of 2304	1724	DEM9D77.exe	36
PID 1724 wrote to memory of 2304	1724	DEM9D77.exe	36
PID 2304 wrote to memory of 2400	2304	DEMF373.exe	38
PID 2304 wrote to memory of 2400	2304	DEMF373.exe	38
PID 2304 wrote to memory of 2400	2304	DEMF373.exe	38
PID 2304 wrote to memory of 2400	2304	DEMF373.exe	38

C:\Users\Admin\AppData\Local\Temp\af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe
"C:\Users\Admin\AppData\Local\Temp\af3da9d88dade113d0ecc93b1a79c6db6e33ddf2ef2130ce64eaf7b32385abb6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\DEMEFBC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEFBC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\DEM4615.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4615.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\DEM9D77.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9D77.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\DEMF373.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF373.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\DEM4A1B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4A1B.exe"
        6⤵
        Executes dropped EXE
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4615.exe

Filesize
16KB

MD5
994ac5534cb2d8bc930a37ea9b7c4c2e

SHA1
5460f23f12367b53a52cc0b406328064e55410b5

SHA256
e595f4457bede667c090249c7ee95e487d70be139c5149997b69e5ff404d2b81

SHA512
dd55dacca44fa40005b68b43c8c011054067f73d2e5761c896c7d7b3bbaf1a9139acf24dfed5fa3b020990b30b9d3a7c4548cfb98ddcf3a4a06da00d5ab639d7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4A1B.exe

Filesize
16KB

MD5
98bd7a41c162c5846aa39d16eb763f43

SHA1
79406947b68102e23fb6a726226b4958f03a2747

SHA256
b433a7d98828ad2e967e94ce908fcc07462827d376b2e6c0ef1f94183e3cb27d

SHA512
15528965357378fe99f941146112fe0957d1595082a09519d4fa61cc786de6b3b8d4fe751dfc0fea924b60fb898fda12a4b3008da17d86fab9e10bea27cbf613

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9D77.exe

Filesize
16KB

MD5
d0f75bad8319ed856d02e5cc747d3e00

SHA1
33dfa9f849030900625f0982091d88d2848db62f

SHA256
f71024abf9bb39d8eb2feabba1f76e2e572561481b0acf49d1e29c8aea8148ec

SHA512
286bb974bdcdd8bdcddbc90cf8a1bae42e4aecb1467a81a4759ee40587ee3bc6df7e15c2d345f0bf8a72e2a7d1a21f390332cea9c812bb10c7bd02397d70b54c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEFBC.exe

Filesize
16KB

MD5
2a9419bb906f75d80a593d06b2e3dcbf

SHA1
3c0236a3e0a2de9d490a5852f799a5bfded919e7

SHA256
a940fb91a6bc8e8fdc4fd6a5a4e9a5e5fcf881eda2e5d1fcbf72813d7315df09

SHA512
e69ea9dc0c487c252544ea44c4240a75f3a80baa039aa148db5e38145b5831de9b0e2860a02614990e6bf947fcd94507f89babba7c8e6cc7d6fe261411879777

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF373.exe

Filesize
16KB

MD5
cb7eb9d902ed2a9d2cd2931ad1998c20

SHA1
005362a96370a210bd8296e67e5dc028013bf34a

SHA256
9547dcf3aa4a473e021aa15c168d28a35bc065ab3a96adf3c380799c849faf3b

SHA512
83836392d9133056f1ec3395751b2a2b251927bdc9f903f3431eef7c913d85a3fa621a82ea0887093c20466ee27c2d3bc3a3630134fc9000265fd20a306e04e0

Download Submit

Analysis

Sharing