3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22

General

Target

3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe
Size

14KB
MD5

5cd1d5b8f786eb4ba2ae3fe6e9f0ebca
SHA1

1ebb1afd096a1c9acd348a440c1582cd7d056215
SHA256

3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22
SHA512

d3e56168070b3fb8624fdb8a8188aece82700793a4a8d50383193d45f9558eb27f7fc6b3e8b38935a4228e7565594698ba06a09bc9435197afd355aa7b1bd954
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0JSs:hDXWipuE+K3/SSHgx4ws

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2072	DEME13B.exe
2940	DEM3736.exe
2704	DEM8CF4.exe
2076	DEME244.exe
632	DEM384F.exe

Loads dropped DLL 5 IoCs

pid	Process
1728	3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe
2072	DEME13B.exe
2940	DEM3736.exe
2704	DEM8CF4.exe
2076	DEME244.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME13B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8CF4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME244.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2072	1728	3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe	32
PID 1728 wrote to memory of 2072	1728	3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe	32
PID 1728 wrote to memory of 2072	1728	3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe	32
PID 1728 wrote to memory of 2072	1728	3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe	32
PID 2072 wrote to memory of 2940	2072	DEME13B.exe	34
PID 2072 wrote to memory of 2940	2072	DEME13B.exe	34
PID 2072 wrote to memory of 2940	2072	DEME13B.exe	34
PID 2072 wrote to memory of 2940	2072	DEME13B.exe	34
PID 2940 wrote to memory of 2704	2940	DEM3736.exe	36
PID 2940 wrote to memory of 2704	2940	DEM3736.exe	36
PID 2940 wrote to memory of 2704	2940	DEM3736.exe	36
PID 2940 wrote to memory of 2704	2940	DEM3736.exe	36
PID 2704 wrote to memory of 2076	2704	DEM8CF4.exe	39
PID 2704 wrote to memory of 2076	2704	DEM8CF4.exe	39
PID 2704 wrote to memory of 2076	2704	DEM8CF4.exe	39
PID 2704 wrote to memory of 2076	2704	DEM8CF4.exe	39
PID 2076 wrote to memory of 632	2076	DEME244.exe	41
PID 2076 wrote to memory of 632	2076	DEME244.exe	41
PID 2076 wrote to memory of 632	2076	DEME244.exe	41
PID 2076 wrote to memory of 632	2076	DEME244.exe	41

C:\Users\Admin\AppData\Local\Temp\3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe
"C:\Users\Admin\AppData\Local\Temp\3fec26c0ad0c55c3b8a6a826d7295a247430a52dbdad449b320ac5faa20c8e22.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\DEME13B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME13B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\DEM3736.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3736.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM8CF4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\DEME244.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME244.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\DEM384F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM384F.exe"
        6⤵
        Executes dropped EXE
        
        PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3736.exe

Filesize
14KB

MD5
35695fe80ca314d21946b018c35e5097

SHA1
5a91791e5567575d379a2d8e60bca111ef1a5bd9

SHA256
bdb6a7b6b9330952de4c70b1ecce62a69b4b510faaad5ea7160faf35d93f2e8e

SHA512
a631f0eb44d63f560d6e1e483015a1735acbb38ee7651dd2af291585d028f3d52ede5045fa60675efaf8ea0e85c3537dd3c1fec53afd884a4a5a24d9e59114df

Download Submit
\Users\Admin\AppData\Local\Temp\DEM384F.exe

Filesize
14KB

MD5
d6e2bef54e3f9c47cee92128180a0564

SHA1
4315e80770c56eb85a1ab1fd4616fe10b9173585

SHA256
b3cff93ad78dc0fb9651f2dbf821ede926c38e9392249eab92f011f4df98c314

SHA512
7d96c0f69072f3d0347f5c1b0c7546656cbd61954819a6d38b3f704b557fadf3e878e1f5733ff7ed7c8514506a8bddd4f317f42e885895eb5d9b911d6b50c550

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8CF4.exe

Filesize
14KB

MD5
21c89aebc5116bb27ce45c64b298256a

SHA1
6683a6ae6824c4a6ee10405a7cde89ba31cf6163

SHA256
12baa18fb57590afd8924f8180b792d544d8320c534f9d7edc4afb0d36dcbd73

SHA512
f2de982d80f0bda958ec2fe4fd80cfc13523f87eaf1e28363262aefd076297994415cf6c6c1d937fc92b5f1fe57452120a29e3b2cc77eedbdec784f2a2649a91

Download Submit
\Users\Admin\AppData\Local\Temp\DEME13B.exe

Filesize
14KB

MD5
8d075a3a18b0ff1f80324ed2418168b5

SHA1
f710ba93a9c2375f0e2d2bac67953ba49dd19818

SHA256
f9b02e8dd5cb153e0a5f5dbc5a77467e8075a88685095d5a508d5c4e79e194d8

SHA512
14b4fd6fb21dc7702b9442cdd9e464737f74f1d3203deccf340856e73b86ba557de61ddd4bf40caf92cee281eaaf2d4478ca324353a32e7090477a5521dca6b9

Download Submit
\Users\Admin\AppData\Local\Temp\DEME244.exe

Filesize
14KB

MD5
6cc1ee265f57b72180578063162e17f8

SHA1
f722e9359262e34e2136791e10624143f5905bf9

SHA256
b642b454baa4ed93c9f8657c149227509a1d62b779004383fb8af0965297a8a0

SHA512
3700545f28585c6472bd40e24e721de6b1c4d1a1e27e485bb85bafa032ef31e1eed58062de06b7de78f413db629842d04c93574f03c7a945e27c84af973ec00a

Download Submit

Analysis

Sharing