1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f

General

Target

1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
Size

16KB
MD5

7dbdf5f1a616ed9a759ab57b792088a4
SHA1

b15e54447a756f2c5ef3f938a193c9e278f1fe58
SHA256

1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f
SHA512

1b2300a569ea8fc6513aaca28847e3f76b282d9f7516247603b36a9bafb5bad05fe04617131036e8a337609279d0a41d0fdf34db94258b6a9f51e34cc9e09ec4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pkzT3T:hDXWipuE+K3/SSHgx4Gz/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2696	DEM9731.exe
2216	DEMECA0.exe
2144	DEM420F.exe
2660	DEM976F.exe
2228	DEMECB0.exe

Loads dropped DLL 5 IoCs

pid	Process
1848	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
2696	DEM9731.exe
2216	DEMECA0.exe
2144	DEM420F.exe
2660	DEM976F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMECA0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM420F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM976F.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2696	1848	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	32
PID 1848 wrote to memory of 2696	1848	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	32
PID 1848 wrote to memory of 2696	1848	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	32
PID 1848 wrote to memory of 2696	1848	1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe	32
PID 2696 wrote to memory of 2216	2696	DEM9731.exe	34
PID 2696 wrote to memory of 2216	2696	DEM9731.exe	34
PID 2696 wrote to memory of 2216	2696	DEM9731.exe	34
PID 2696 wrote to memory of 2216	2696	DEM9731.exe	34
PID 2216 wrote to memory of 2144	2216	DEMECA0.exe	36
PID 2216 wrote to memory of 2144	2216	DEMECA0.exe	36
PID 2216 wrote to memory of 2144	2216	DEMECA0.exe	36
PID 2216 wrote to memory of 2144	2216	DEMECA0.exe	36
PID 2144 wrote to memory of 2660	2144	DEM420F.exe	38
PID 2144 wrote to memory of 2660	2144	DEM420F.exe	38
PID 2144 wrote to memory of 2660	2144	DEM420F.exe	38
PID 2144 wrote to memory of 2660	2144	DEM420F.exe	38
PID 2660 wrote to memory of 2228	2660	DEM976F.exe	40
PID 2660 wrote to memory of 2228	2660	DEM976F.exe	40
PID 2660 wrote to memory of 2228	2660	DEM976F.exe	40
PID 2660 wrote to memory of 2228	2660	DEM976F.exe	40

C:\Users\Admin\AppData\Local\Temp\1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe
"C:\Users\Admin\AppData\Local\Temp\1088d8e7fbab709277ec3e94886d86126e2d20675211d15ca417bc124e06bb2f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\DEM9731.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9731.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\DEMECA0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMECA0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\DEM420F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM420F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\DEM976F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM976F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\DEMECB0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMECB0.exe"
        6⤵
        Executes dropped EXE
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9731.exe

Filesize
16KB

MD5
ef3f9030b16bb6134f459e356b2074e2

SHA1
4f5c20f5b28603755797e24493a240b3b003ddf5

SHA256
c20940638540632ff6a1d5abf9aa0dd0dcf0e0030b22bbd26a832a2ed5c1eb51

SHA512
bd34a1db3180679340664258659a0b5b071c92ad5e96baa42fb8960f3b5240402cadfcf2336650d604dfedca85d44e3fd0244b588aa37190fe70cbd7fee2798a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMECA0.exe

Filesize
16KB

MD5
574ddb671807fda0bc8407bebba6ea88

SHA1
07eed3dbfde6217a5cab0f23788b6d15fc4e5441

SHA256
522a7dd11ee63e386a6e4b0750157f3978270292601e90d1b6b285043d7a88c6

SHA512
45ea642516b033237859893c578650c5fa362d21b2fb580477fedb81b9b533bb061d55040697c5db17cca38e5437252f1489dbe40d7dcf3cb752e6de33bb37e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM420F.exe

Filesize
16KB

MD5
5dbaf22239f8994600ea3ce1267f23d2

SHA1
444e9e3d15270dcb1bab65f6f717289114231eac

SHA256
57e832f9a1510b2e3575f0f73abc62a9b6dda2048ff6b28cb6ae6c3647ce9aae

SHA512
b90ef7ec586bf335ede9324c4c441a85b025506b596406cb6d691437dae04880307ee8d393922adf836e4d1bb5d1a587c20c2792923f6d635b870e302b3a93a7

Download Submit
\Users\Admin\AppData\Local\Temp\DEM976F.exe

Filesize
16KB

MD5
f13c347a90d5ad6493e06757f0b2b356

SHA1
1fe7028c035b047fb4655e4f0b4094662bea9e6d

SHA256
370f0d6f9cb0abb4e36bbbca5f1a09e7e2c59212a946b1f49407681326d35a95

SHA512
55291a550a88708472f4a31daf2ce8ceceabe34c5f30423937570713515829e0bf9e232198e1de021e375f159ac416e5961664fd8e24da468a202ee20cedac6d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMECB0.exe

Filesize
16KB

MD5
d4b8e64f2a86322af4707460ce0699fd

SHA1
9518371e0893be65dfb8fafad0128e122c391e2e

SHA256
7cf31f7e47a90b2e5e89212b04b33e30ffe790db7cb0aa30f98b2ed1a283798a

SHA512
cb094cdc4efcff45b92f1bd692d37256e6123c4b78b57a2a50f619393c8e6cb95b53c1117413ada2a1ad1b4ad11d9efffe70733c6487049914d424aa7a215e19

Download Submit

Analysis

Sharing