a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf

General

Target

a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
Size

16KB
MD5

bfad3a963f1cd2c59fd197060afd7aff
SHA1

8f11a81c6fc1d9287bd834ee1c29665f168ff7c9
SHA256

a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf
SHA512

9c2a67bc1b16a859b3b8164dcaa3fdc436023bcab4f162bb095411887502a00ec4072bda2953437e491219402f74de48fadf1ab33a3d9386d25610ad3fa244e1
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0Tze:hDXWipuE+K3/SSHgx4+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2140	DEMC5AF.exe
2748	DEM1B3E.exe
2708	DEM70CD.exe
2960	DEMC784.exe
1692	DEM1CF3.exe

Loads dropped DLL 5 IoCs

pid	Process
1048	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
2140	DEMC5AF.exe
2748	DEM1B3E.exe
2708	DEM70CD.exe
2960	DEMC784.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM70CD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC5AF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B3E.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2140	1048	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	30
PID 1048 wrote to memory of 2140	1048	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	30
PID 1048 wrote to memory of 2140	1048	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	30
PID 1048 wrote to memory of 2140	1048	a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe	30
PID 2140 wrote to memory of 2748	2140	DEMC5AF.exe	32
PID 2140 wrote to memory of 2748	2140	DEMC5AF.exe	32
PID 2140 wrote to memory of 2748	2140	DEMC5AF.exe	32
PID 2140 wrote to memory of 2748	2140	DEMC5AF.exe	32
PID 2748 wrote to memory of 2708	2748	DEM1B3E.exe	34
PID 2748 wrote to memory of 2708	2748	DEM1B3E.exe	34
PID 2748 wrote to memory of 2708	2748	DEM1B3E.exe	34
PID 2748 wrote to memory of 2708	2748	DEM1B3E.exe	34
PID 2708 wrote to memory of 2960	2708	DEM70CD.exe	36
PID 2708 wrote to memory of 2960	2708	DEM70CD.exe	36
PID 2708 wrote to memory of 2960	2708	DEM70CD.exe	36
PID 2708 wrote to memory of 2960	2708	DEM70CD.exe	36
PID 2960 wrote to memory of 1692	2960	DEMC784.exe	38
PID 2960 wrote to memory of 1692	2960	DEMC784.exe	38
PID 2960 wrote to memory of 1692	2960	DEMC784.exe	38
PID 2960 wrote to memory of 1692	2960	DEMC784.exe	38

C:\Users\Admin\AppData\Local\Temp\a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe
"C:\Users\Admin\AppData\Local\Temp\a14e1a6e42d1251ad6da3b92ce89c5e4534a287e638f1a742963ea52105393cf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\DEMC5AF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC5AF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\DEM1B3E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1B3E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\DEM70CD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM70CD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\DEMC784.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC784.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\DEM1CF3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1CF3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B3E.exe

Filesize
16KB

MD5
9961c251588f91e18f8d7c4aff15b928

SHA1
c481726295c5e1def7b81e5df93b76f31cc95a09

SHA256
7e9fb5fe043543891db2faf496d86e66fcfdef19f852cf2f5cba3c972e34115d

SHA512
40f998c9e0f338c4b43a8ca54db34aab5797840eb1e7d0dda42490b5ec08a45e72bd56c4c00ee32f0aa537cfeea672fa22a59836cee3b67bbff713267d3cc110

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5AF.exe

Filesize
16KB

MD5
5d098185fd162414e1f85be76ab3818a

SHA1
e70ae90b4c8cfe097160224832ef90c4ce9149a2

SHA256
76d92140f05b4c4de2c3af4d16b24e15783fa6817bcae81a267b10b1fd45f230

SHA512
e2cc23c70273871b0cae02aab6078bdcbb2be6f89a0e3598ed3ac1d3e33ee8ff171c9cc2b44ec5df72356cd7e5b859efc8c69fd9a535dd9175cd860421bc0700

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1CF3.exe

Filesize
16KB

MD5
45b2a928b595927334835429fbe9ae7b

SHA1
4d6393b3bd3b1becda4d7c4dda57fa444376ac47

SHA256
c85372cc5690bac56139ed3140def995c73276223946f2b54ab9e6fd6ae9dace

SHA512
3e954fc22494ddee335318524a91a76e3eae99ad93ffe6353f65c3d2de2b55842ad75cf0f8bae0fff2383061e56a9afd4b79387675668224c797a2a7cd3af39a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM70CD.exe

Filesize
16KB

MD5
6100697689369674ad89acfceb4720b6

SHA1
b485a225896003a81559ccb61b877432af3359a2

SHA256
46d387639fff0b96c7023fc955025d99546040694ef72da50184b7f918d97f65

SHA512
13c1a54512fb3da5542bdf5247b0ec598284965b900244c038857fa8b7496e3d54f4b91032e2405e1755c6a0c432e07367798db2358c1abb38fcade69a98807c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC784.exe

Filesize
16KB

MD5
129adcf1ea73c1ac71be3a6dd587f8a3

SHA1
ea1fbaaaeb3d2f7d23e6607d3b018ba96aa611c2

SHA256
72961d8a433ba08428b8590cb997c6c825e1567dfa24fecc2fde5a2df66c4b26

SHA512
fcdbbf94d49644c143ad488e802582a8bc5bc258014566a7ebbdcf874b0a98145fcf4772d9f1b41a58512518cf87fabb4c950765e9436fb8f8c6c70b7ea692d4

Download Submit

Analysis

Sharing