ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b

General

Target

ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
Size

16KB
MD5

0b02eb503865a337e8b31798a3f824d3
SHA1

f94099f2c5506b9c216158a3f1b84ee429123729
SHA256

ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b
SHA512

76a2c2c521b4d0da5282cd38d920abb91319e2d7e963b2f33d58bb25ae3d45ce1c0f485f87e0d3bd350c887bc5983504b3153db6ee1015721d57d1bfcafbe9d8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJHPSU0yI:hDXWipuE+K3/SSHgxmlOJHI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2168	DEM8372.exe
2588	DEMD8F1.exe
2520	DEM2E22.exe
2888	DEM8334.exe
1928	DEMD846.exe

Loads dropped DLL 5 IoCs

pid	Process
2868	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
2168	DEM8372.exe
2588	DEMD8F1.exe
2520	DEM2E22.exe
2888	DEM8334.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8372.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD8F1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2E22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8334.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2168	2868	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	31
PID 2868 wrote to memory of 2168	2868	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	31
PID 2868 wrote to memory of 2168	2868	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	31
PID 2868 wrote to memory of 2168	2868	ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe	31
PID 2168 wrote to memory of 2588	2168	DEM8372.exe	33
PID 2168 wrote to memory of 2588	2168	DEM8372.exe	33
PID 2168 wrote to memory of 2588	2168	DEM8372.exe	33
PID 2168 wrote to memory of 2588	2168	DEM8372.exe	33
PID 2588 wrote to memory of 2520	2588	DEMD8F1.exe	35
PID 2588 wrote to memory of 2520	2588	DEMD8F1.exe	35
PID 2588 wrote to memory of 2520	2588	DEMD8F1.exe	35
PID 2588 wrote to memory of 2520	2588	DEMD8F1.exe	35
PID 2520 wrote to memory of 2888	2520	DEM2E22.exe	37
PID 2520 wrote to memory of 2888	2520	DEM2E22.exe	37
PID 2520 wrote to memory of 2888	2520	DEM2E22.exe	37
PID 2520 wrote to memory of 2888	2520	DEM2E22.exe	37
PID 2888 wrote to memory of 1928	2888	DEM8334.exe	39
PID 2888 wrote to memory of 1928	2888	DEM8334.exe	39
PID 2888 wrote to memory of 1928	2888	DEM8334.exe	39
PID 2888 wrote to memory of 1928	2888	DEM8334.exe	39

C:\Users\Admin\AppData\Local\Temp\ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe
"C:\Users\Admin\AppData\Local\Temp\ab6970046d989e5464f3d2ca90f15dac3944a17eaa28147f761d82c4dea01a4b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\DEM8372.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8372.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\DEMD8F1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMD8F1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\DEM2E22.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM2E22.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\DEM8334.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8334.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\DEMD846.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD846.exe"
        6⤵
        Executes dropped EXE
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2E22.exe

Filesize
16KB

MD5
6fd596e1cb981dfb83efba910df71615

SHA1
0ba43aaf1423be134486b5bbfa35ca824ecd7d99

SHA256
0f18e53e99ca6ae543a8e3cc43df1eaa1ef5b9b8af3f5cd424ed67a35bd18ba1

SHA512
e23ed25a19a73efb09cec4085a7c543720ec5354311d4b885dd85f0ac335af75becc03d719089d2ff37972ac951bad8b65b90e3aa953af1ff6fcf6743a90ee40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8334.exe

Filesize
16KB

MD5
42124b9b9efe1a2818f77406f73fac8f

SHA1
43b558a838ef421547121fc8f31df730bc6526a0

SHA256
359ed48d1c563d277b9dc8fa74973c3007628aef0baed4c44abd882c32a2d44e

SHA512
3a766085457a3068a70d8eeb988818f3c699db88ce702224d5eb7669fa9d12109d6d35e3f3413f47d6cde9131cd9f467448d9f41a21905a2b1935a07c21ed67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8372.exe

Filesize
16KB

MD5
44be3e19915d538ef8cf8371f0fbb444

SHA1
a55a1402ba05f4286c2079c163db5daa88dd81e5

SHA256
81da9b5268a6f27c46a07ad0efd9c2c7d64952903d155209868f4f7a1ce10d48

SHA512
b80ad62b0bfe4e5943ed27d16109ac6ce9c9c2d3cad896af4df8159e1a769335ea669250cc7f15f2dea4939440494cbc96921f9ac53257befd66eecda1c16b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD8F1.exe

Filesize
16KB

MD5
4cd0f2e220c77e2fa093dbe25263e707

SHA1
a9b390fc2c2dcc56e53219322ec80da64f4dad5d

SHA256
f05684aa884d8c6b17fa52563bc118015e34b2ee1eb7caa6c4243eae66a02f3f

SHA512
ddafdf6f25566ce89c9a66b2dd5133341b7257afc3d6d609f2805e718ceb8ac05419686e4fc435ebc72d53291fe9ac3da2f858328a4fac2356f4a0aaba4fb31b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD846.exe

Filesize
16KB

MD5
32dc57e58dda0b8c4d2435255daa0292

SHA1
a8ac729684f7adfe90f5ce17d939abb5a6887ada

SHA256
f523f771b626b02173fb972ecc09634a833083026c1d481ffc2e0f282ded390c

SHA512
727562d6c2400612af8b43809137633c2cf639c2ce0eb1fdab8ddd47754ddb23547edd569d94eaf528a47b789b6a9780c15987e66bd279aad6c2779372eef801

Download Submit

Analysis

Sharing