0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592

General

Target

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
Size

16KB
MD5

87404c90544f46c429d0fcc7b7a99c08
SHA1

0461c13a4057f96152d250fa1cbce638aee45b0c
SHA256

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592
SHA512

fc5ed874d034d0da7048db658c2a5547e19d995e8cb248d67d5ea944e59e0ca5937510609370a533b7debffb098d7a353159060490e00ffe36d0e47a3a2da098
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY44EA1u:hDXWipuE+K3/SSHgxm5Z1u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

DEMCB4B.exeDEM20AA.exe

pid process

2768 DEMCB4B.exe
1484 DEM20AA.exe
Loads dropped DLL 2 IoCs

Processes:

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exeDEMCB4B.exe

pid process

2088 0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
2768 DEMCB4B.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2768	DEMCB4B.exe
1484	DEM20AA.exe

pid	process
2088	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
2768	DEMCB4B.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exeDEMCB4B.exeDEM20AA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCB4B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM20AA.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exeDEMCB4B.exe

description	pid	process	target process
PID 2088 wrote to memory of 2768	2088	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	DEMCB4B.exe
PID 2088 wrote to memory of 2768	2088	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	DEMCB4B.exe
PID 2088 wrote to memory of 2768	2088	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	DEMCB4B.exe
PID 2088 wrote to memory of 2768	2088	0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe	DEMCB4B.exe
PID 2768 wrote to memory of 1484	2768	DEMCB4B.exe	DEM20AA.exe
PID 2768 wrote to memory of 1484	2768	DEMCB4B.exe	DEM20AA.exe
PID 2768 wrote to memory of 1484	2768	DEMCB4B.exe	DEM20AA.exe
PID 2768 wrote to memory of 1484	2768	DEMCB4B.exe	DEM20AA.exe

C:\Users\Admin\AppData\Local\Temp\0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe
"C:\Users\Admin\AppData\Local\Temp\0ef187da11ebbca19362a06b9eb082143be2ec6488e1a2688dc3f66a35753592.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\DEMCB4B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCB4B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\DEM20AA.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM20AA.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\DEM75CC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM75CC.exe"
      4⤵
      PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe"
        5⤵
        
        PID:2348
      - C:\Users\Admin\AppData\Local\Temp\DEM205C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM205C.exe"
        6⤵
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM205C.exe

Filesize
16KB

MD5
a032cf01002b9af93196741ced9e3eab

SHA1
399d148209c10ce36aceb98c7741dea203971650

SHA256
9b210feabfa0da5915b3b6e454a95b74f6a8acf806b2d0cc9a2ee5985dd2a67f

SHA512
580f1d9bf6c6bff66bd9a45ec66b1b9a30a39acd145d201fca737a6c3e98065c85f6e63016538cdbad43ee95f2a33e43aa788ff789b1227118ee49766325e45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM20AA.exe

Filesize
16KB

MD5
703489a67c3e82890e569d651ad40eaa

SHA1
239fed5a4307a9e70da943bc53aff891fa20804a

SHA256
99ce865004257dcea9658237aafd768cc2a4a173b20a0ece885d99ea7cbc9269

SHA512
8489f931a9a34cd564ddeb2e05c3e4393b0a913e2e47a0cb0b9eabb60ff95df46f8fba394c2d4eb14c4d222fd2c2fc6226f2a3ad3937d424b05d55ca3c52cd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM75CC.exe

Filesize
16KB

MD5
9ddb65c4c2134695c547890e5b15c51c

SHA1
5c852b55ff99ff8cd8ce291f1db422bb6aa78db2

SHA256
001d849da5cd833c7bd78b55f35e9d70cf36c3c4c238e28150e8730052a22947

SHA512
2d04670dd9ad2ab09f8e5a4b780b05dd6de1f4c4afe6de392eaa8390a75444caa143080c00235c86b772f9b1a0fc22ff74268a97b6efff85a026bc0d7978fdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCAED.exe

Filesize
16KB

MD5
7a25f00ad5a6c7842f1c8500d050e4f5

SHA1
b5a50fc64f05d0c3580ef45177fc681f69d7675f

SHA256
02df516581f24cee7da7ad566af11b3465f7dd5619535997fcaa0f35bff70140

SHA512
d1d81790660905fb9dcde90ea974f0fe296f98ca96e02cd3f699da8e5e7eff68f5e3ddbceb2caa00e74e19e62dbe7c7adaad1abeb2dc46bca571dc7a05d60709

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCB4B.exe

Filesize
16KB

MD5
22513a071038e5c08af5e39e7361b67c

SHA1
05e42fcccc814e2e30083c83d40627015bb8c3e6

SHA256
83224cf514cdea10bf25bad47e7386dab6f522b79eac7edfb8d9a258a925d4a2

SHA512
98fc57ce893cc372e00d65dda7dcec64f6f7bcedf67c607c5a152f8aa21978d6568f6050fd1427fb0f5f6dda5622fbbbe0c770b6fe9ed6c169f5d92f2f733e53

Download Submit

Analysis

Sharing