9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364

General

Target

9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
Size

15KB
MD5

024d871e89de6d7bae0bc5f789ecc307
SHA1

9f37d09241f4c117150ecdebf48523b0388b1dab
SHA256

9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364
SHA512

7dd8995eb96312b999a2ab6c972508f324920884f22dabc9de2f661156a3d9a61427fe4f3eee03cba527c9bbf31b6a9b23dc6c97cdba72058c3cd9db3918182d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJEvzM:hDXWipuE+K3/SSHgx4zM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2496	DEMC11D.exe
2724	DEM16FA.exe
2288	DEM6C2B.exe
2464	DEMC17B.exe
2028	DEM16AC.exe

Loads dropped DLL 5 IoCs

pid	Process
1960	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
2496	DEMC11D.exe
2724	DEM16FA.exe
2288	DEM6C2B.exe
2464	DEMC17B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC11D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM16FA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6C2B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC17B.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2496	1960	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	32
PID 1960 wrote to memory of 2496	1960	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	32
PID 1960 wrote to memory of 2496	1960	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	32
PID 1960 wrote to memory of 2496	1960	9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe	32
PID 2496 wrote to memory of 2724	2496	DEMC11D.exe	34
PID 2496 wrote to memory of 2724	2496	DEMC11D.exe	34
PID 2496 wrote to memory of 2724	2496	DEMC11D.exe	34
PID 2496 wrote to memory of 2724	2496	DEMC11D.exe	34
PID 2724 wrote to memory of 2288	2724	DEM16FA.exe	36
PID 2724 wrote to memory of 2288	2724	DEM16FA.exe	36
PID 2724 wrote to memory of 2288	2724	DEM16FA.exe	36
PID 2724 wrote to memory of 2288	2724	DEM16FA.exe	36
PID 2288 wrote to memory of 2464	2288	DEM6C2B.exe	38
PID 2288 wrote to memory of 2464	2288	DEM6C2B.exe	38
PID 2288 wrote to memory of 2464	2288	DEM6C2B.exe	38
PID 2288 wrote to memory of 2464	2288	DEM6C2B.exe	38
PID 2464 wrote to memory of 2028	2464	DEMC17B.exe	40
PID 2464 wrote to memory of 2028	2464	DEMC17B.exe	40
PID 2464 wrote to memory of 2028	2464	DEMC17B.exe	40
PID 2464 wrote to memory of 2028	2464	DEMC17B.exe	40

C:\Users\Admin\AppData\Local\Temp\9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe
"C:\Users\Admin\AppData\Local\Temp\9058377b315300ec320b8814fbbeadc9594b75c46f6e666485f5c084fbaee364.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\DEMC11D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC11D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\DEM16FA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM16FA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEM6C2B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6C2B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\DEMC17B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC17B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Users\Admin\AppData\Local\Temp\DEM16AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM16AC.exe"
        6⤵
        Executes dropped EXE
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM16FA.exe

Filesize
15KB

MD5
26452e130479f601e513c509ff0cc486

SHA1
45b6c541ce3d43a11003e7bc3e31acca5611dee4

SHA256
5d37b6fe417d0c0e5bd6eeedb29237bc37825e84eb47a8a596a56d8f263bf1d9

SHA512
83da1d3d57dc59707c4c31c9525c8967812c1bf12f850551f210d8db4349477c1037517ef7e06ec7a776d4fe63e98d9f81fda6751d2f21f57019e0fb022cb8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC17B.exe

Filesize
16KB

MD5
233816b497ca655a292f2c1e9b2a213d

SHA1
7d31a9e6a8130baf44de967a07a7f06896d1f29a

SHA256
afb08dc3e7ea18f1ab24fc4d0562aaa9e58dfe03a1df5690ac8903a3a315d30e

SHA512
20cc392e9b73a30a2605d6dc17c6742d0689a582b144f17fbea684aecc18c09389c9e4d298419319bc29670b4d4e4031cbda93f1cbb9355c2dff002b7533b1e6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM16AC.exe

Filesize
16KB

MD5
cbb541a1a8d5a5e01bedd83f302670f6

SHA1
07d5d66cd67588b50019198b29617a6a78edb692

SHA256
b0ce6447533db291d4abceef8d944eab9ee1770d2990a1b043165360c0578f41

SHA512
89d0d5dbc5d63005f40fabdb23c377d22dbfbb74a544c481747daafb924357d97ccbbe652b4290052410216cf1d07833eb0a65c2b4d9d49fdcc50b151d67feba

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6C2B.exe

Filesize
16KB

MD5
591c3908b47d6c0d1f7995d408723cf2

SHA1
1d85442c7dc7b40bb62b3c0e011686f808140f78

SHA256
4ab6053e58b19432109bc068b8907fa44b45ef76128667b5c5e73dec39c3abed

SHA512
2a91102b73a43f43ea5c01bd1392d4a5ed912fcd9e3df92843fcc9a6b0d726a0ffeff5a8f1c7bbbd460f0aeab5fc29e18d657d4c7b79614b6d3118a647c1eee1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC11D.exe

Filesize
15KB

MD5
b55329619cca826ffca7f2400c6f480b

SHA1
0b5406a25b0bb4694c521f835ca307059da7d7b2

SHA256
dc3be2215a0d444c75b85d2663a313536722110e0caa6a8048042972f912bdc0

SHA512
5036fdcdb99be5e5435c29999b933f426cb7516f677a248670c5c8df8de26207dc38f8a73d590fd2714e4354f6ee449479110c84873202b072679e08f6f58d59

Download Submit

Analysis

Sharing