b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b

General

Target

b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
Size

20KB
MD5

cf7d8724ad2ffd991f888484957d0134
SHA1

3b8fd14a4d948460b7a7f061658bf7502c79d9d2
SHA256

b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b
SHA512

898daf29a95e588c5e1a7c62058ad5e079f79bd6426b273ec52de305be7f622dca33ec6d6e2f5cf24e61b1ea985b3373bead8fc224dda9a5e23ed45bf611964f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Ar5:hDXWipuE+K3/SSHgxmHZAt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2668	DEM675B.exe
572	DEMBC8B.exe
2344	DEM118E.exe
2904	DEM671C.exe
1152	DEMBC8C.exe

Loads dropped DLL 5 IoCs

pid	Process
2876	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
2668	DEM675B.exe
572	DEMBC8B.exe
2344	DEM118E.exe
2904	DEM671C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM675B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBC8B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM118E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM671C.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2668	2876	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	31
PID 2876 wrote to memory of 2668	2876	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	31
PID 2876 wrote to memory of 2668	2876	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	31
PID 2876 wrote to memory of 2668	2876	b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe	31
PID 2668 wrote to memory of 572	2668	DEM675B.exe	34
PID 2668 wrote to memory of 572	2668	DEM675B.exe	34
PID 2668 wrote to memory of 572	2668	DEM675B.exe	34
PID 2668 wrote to memory of 572	2668	DEM675B.exe	34
PID 572 wrote to memory of 2344	572	DEMBC8B.exe	36
PID 572 wrote to memory of 2344	572	DEMBC8B.exe	36
PID 572 wrote to memory of 2344	572	DEMBC8B.exe	36
PID 572 wrote to memory of 2344	572	DEMBC8B.exe	36
PID 2344 wrote to memory of 2904	2344	DEM118E.exe	38
PID 2344 wrote to memory of 2904	2344	DEM118E.exe	38
PID 2344 wrote to memory of 2904	2344	DEM118E.exe	38
PID 2344 wrote to memory of 2904	2344	DEM118E.exe	38
PID 2904 wrote to memory of 1152	2904	DEM671C.exe	40
PID 2904 wrote to memory of 1152	2904	DEM671C.exe	40
PID 2904 wrote to memory of 1152	2904	DEM671C.exe	40
PID 2904 wrote to memory of 1152	2904	DEM671C.exe	40

C:\Users\Admin\AppData\Local\Temp\b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe
"C:\Users\Admin\AppData\Local\Temp\b8160af1043ac265772ce5befb299a0b07114f3e9288fa6b66191a39cd04d68b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\DEM675B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM675B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\DEM118E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM118E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\DEM671C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM671C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\DEMBC8C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC8C.exe"
        6⤵
        Executes dropped EXE
        
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM118E.exe

Filesize
20KB

MD5
3c6b1d4ac31a5d2ad710eb5de3013418

SHA1
1ec0457a8fe2ac22bc91b6e482960b56bdd6d5ee

SHA256
aa88424f721d67b88bed3343833f1a494724982dc68d32a48c3d8666c3e2c05f

SHA512
ca0cd0ba341f5a0ea196ac97d25081a585c29493e0aa1fb1140d009d3a5c6448c99bd7af0762749152152e764ffbb787c5d139e2fa08212aeffab02d6dc42be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM675B.exe

Filesize
20KB

MD5
762bfc2291a9fd9af4cd115f48885e65

SHA1
bf8c91dbf4f77dfe71eea0e3b98866651d8482e9

SHA256
720ba777d29dab1ef60402d308e2d7dd37c52d8d041181a379d42d7d64e131f3

SHA512
e0599cccc0ca0716e6f349f2dec2d610a4dc1dc47c872007ceb7e610c2a378e8f1eef9a8d52f7b46c1cec86da82de318eb08d58385d59c1379dbc69ee7134b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe

Filesize
20KB

MD5
9287e2e6c5d13029f9468352575bff7c

SHA1
1d3b5dd3156940911b9deb5f090cd0dcc1a1a224

SHA256
c800fac3b242649bf28ce70ea6099ce5c16a8a8714812c2cf713d445aa2b3c53

SHA512
ee0f65c4bd32f7ea7c98022566dc586d3a42366bf1c5b6b062f34cd89a36688a22f5c1b3d8463c633b949b27b73d741bec1f763a85f5e532fc013ca6a6e5d9d5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM671C.exe

Filesize
20KB

MD5
f9109ab158ba161fe4603a8dbd21f509

SHA1
f88af0e9bd7d21b50bacb8accf5ab0eff271e6b3

SHA256
1eab9c15e37a86dd4a72b6579b67e9bbc9917261f399bfb0ddefdf9239c3dc74

SHA512
0d882a7043da72f4b40b04c8b467c32d81ee6561c7f9d46db4f2cabfda6efb861753e93c0203e560e0925930d4c4419f16036ec2c1aff39fc55b70368be2411b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC8C.exe

Filesize
20KB

MD5
2bdedb9dc974506751916d93eb701d74

SHA1
6f1b2ee3278c2f8147a3da5206e65037d038fa7a

SHA256
2e7a928b279a4dd5b8e2db08628904aa7e40977489f14b5c08fa1ff0c2d6aa51

SHA512
1065c9a8d36c08a151d20cb543de925fc7f7a387b819238e42f052153029b1b910423a57f51df849c6d5ec4d6aaff7f7a1babbac7156d485efca7a5088867cfd

Download Submit

Analysis

Sharing