2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960

General

Target

2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe
Size

20KB
MD5

9461f59c4561c0cd37ced502812fd9d9
SHA1

164b7f0fce654168f4c392af40da56e70d8047fe
SHA256

2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960
SHA512

b59fae7b4add4651e627db175f1e25ac08216d01ec9979184899be3d23262a3352dcfe5bdf2ecd0a51bfaae7f17dd8b7536f99465ac55b290fc9fc94229a8d25
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRS1:hDXWipuE+K3/SSHgxmHZPRc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

DEMB201.exeDEM760.exeDEM5D2D.exeDEMB367.exeDEM8F6.exe

pid process

380 DEMB201.exe
2792 DEM760.exe
2676 DEM5D2D.exe
1944 DEMB367.exe
1528 DEM8F6.exe
Loads dropped DLL 5 IoCs

Processes:

2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exeDEMB201.exeDEM760.exeDEM5D2D.exeDEMB367.exe

pid process

2000 2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe
380 DEMB201.exe
2792 DEM760.exe
2676 DEM5D2D.exe
1944 DEMB367.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
380	DEMB201.exe
2792	DEM760.exe
2676	DEM5D2D.exe
1944	DEMB367.exe
1528	DEM8F6.exe

pid	process
2000	2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe
380	DEMB201.exe
2792	DEM760.exe
2676	DEM5D2D.exe
1944	DEMB367.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exeDEMB201.exeDEM760.exeDEM5D2D.exeDEMB367.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5D2D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB367.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exeDEMB201.exeDEM760.exeDEM5D2D.exeDEMB367.exe

description	pid	process	target process
PID 2000 wrote to memory of 380	2000	2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe	DEMB201.exe
PID 2000 wrote to memory of 380	2000	2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe	DEMB201.exe
PID 2000 wrote to memory of 380	2000	2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe	DEMB201.exe
PID 2000 wrote to memory of 380	2000	2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe	DEMB201.exe
PID 380 wrote to memory of 2792	380	DEMB201.exe	DEM760.exe
PID 380 wrote to memory of 2792	380	DEMB201.exe	DEM760.exe
PID 380 wrote to memory of 2792	380	DEMB201.exe	DEM760.exe
PID 380 wrote to memory of 2792	380	DEMB201.exe	DEM760.exe
PID 2792 wrote to memory of 2676	2792	DEM760.exe	DEM5D2D.exe
PID 2792 wrote to memory of 2676	2792	DEM760.exe	DEM5D2D.exe
PID 2792 wrote to memory of 2676	2792	DEM760.exe	DEM5D2D.exe
PID 2792 wrote to memory of 2676	2792	DEM760.exe	DEM5D2D.exe
PID 2676 wrote to memory of 1944	2676	DEM5D2D.exe	DEMB367.exe
PID 2676 wrote to memory of 1944	2676	DEM5D2D.exe	DEMB367.exe
PID 2676 wrote to memory of 1944	2676	DEM5D2D.exe	DEMB367.exe
PID 2676 wrote to memory of 1944	2676	DEM5D2D.exe	DEMB367.exe
PID 1944 wrote to memory of 1528	1944	DEMB367.exe	DEM8F6.exe
PID 1944 wrote to memory of 1528	1944	DEMB367.exe	DEM8F6.exe
PID 1944 wrote to memory of 1528	1944	DEMB367.exe	DEM8F6.exe
PID 1944 wrote to memory of 1528	1944	DEMB367.exe	DEM8F6.exe

C:\Users\Admin\AppData\Local\Temp\2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe
"C:\Users\Admin\AppData\Local\Temp\2fcd9d6d3d1e565fad6018367c08302083015d8acd2aa9b633947201ca0d3960.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\DEMB201.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB201.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\DEM760.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM760.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5D2D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\DEMB367.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB367.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\DEM8F6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8F6.exe"
        6⤵
        Executes dropped EXE
        
        PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM760.exe

Filesize
20KB

MD5
a711e77227ec58c2a2f04deea385894b

SHA1
24bc68575b20ae3bc651222e31662f4188976f99

SHA256
87d10dd14d9867b7676e898e6619afaddc2ede53775976f66de58f38291d8305

SHA512
9aff4e86fa526fe7c1081e90759938d362e86b6da21d4a60e4681c2a80069f1cdc639d314ee18462045abeaf984ec440fa4901ae473186d57d177ab93bb55ea4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5D2D.exe

Filesize
20KB

MD5
67e2f8e273afd297305cb69b485e16cb

SHA1
82064c7e736febd18cb8d0db751e023cd0465e3d

SHA256
e9a1cac9b99c4bc52a2956dffa9afd08d0bc84510d95bfcae6835b77a3cf5e23

SHA512
7bd558a57758ad7a75931857a576536154ed3c469dd48629b68cce4b9190e4f8a108fcec85f601b15330720f09e3cf73bd98c62001863cc3db1bfdcd60d642f4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8F6.exe

Filesize
20KB

MD5
2bea0c7aef5afd688c833a575d4623cb

SHA1
7337fb907e60556af1fe3f897d8c7abf53795285

SHA256
35216b74115585cfc25487fc652e00f3f9f393ff0302d112e4e90c72d90375be

SHA512
e3fddc005e5226ce5deceebe3181bd75814bc6e03460e82f45babc4e7bdf42403af9e159770d395366bb474f721278fc46a2e94dee5279a70887cd0a08bd2a8b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB201.exe

Filesize
20KB

MD5
87a5232693280b0bdbef47c675714bf2

SHA1
cd83b5ac2928f9260f622ff92a5a97bf6ec720bb

SHA256
ae69f7fa8a15c089ed37218874714bd7b09352a3e199d305a35742b5797ad418

SHA512
87a39c0a277a4d350b4c395d4d7e9241412c8c53f4556844b832b2b09da7c936f5c8d3031afa2b7590707da80ebdd544e1cbedcef1c4782d961cc64b3bfa2974

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB367.exe

Filesize
20KB

MD5
37e4f3989901304aec01d3c49e54e4a1

SHA1
a87bf921fc1e6be85db272e4cb174a5a09ca65ac

SHA256
825083922e608b0ca62a4c762e51b0a8e6cfa3c4454f80a787bf5913b33ac5c2

SHA512
da76df325cc840719b4aad13b53a139c8781eb4595e642a295c1789af0540dd6b3386ee68a4c4f2a30002b158b5337a5e8638bb8b2cf00c5e0871011daab4097

Download Submit

Analysis

Sharing