ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b

General

Target

ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe
Size

20KB
MD5

23e461e56cd8a38a679d1949400b35e4
SHA1

76e224a55af1724d124c53cab88d7cb461393785
SHA256

ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b
SHA512

adc2c101ab44fec28b912677035282c799dcdccd55d27a88f06f739fd094bea01c0c5d8a53fe33e2c77f42f7785123bff5b591f441f61601600f9e7baa2ac58e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4php:hDXWipuE+K3/SSHgxmHZphp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

DEMAFFE.exeDEM58C.exeDEM5B4A.exeDEMB107.exeDEM686.exe

pid process

2064 DEMAFFE.exe
3004 DEM58C.exe
2700 DEM5B4A.exe
2000 DEMB107.exe
396 DEM686.exe
Loads dropped DLL 5 IoCs

Processes:

ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exeDEMAFFE.exeDEM58C.exeDEM5B4A.exeDEMB107.exe

pid process

684 ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe
2064 DEMAFFE.exe
3004 DEM58C.exe
2700 DEM5B4A.exe
2000 DEMB107.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2064	DEMAFFE.exe
3004	DEM58C.exe
2700	DEM5B4A.exe
2000	DEMB107.exe
396	DEM686.exe

pid	process
684	ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe
2064	DEMAFFE.exe
3004	DEM58C.exe
2700	DEM5B4A.exe
2000	DEMB107.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exeDEMAFFE.exeDEM58C.exeDEM5B4A.exeDEMB107.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAFFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM58C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5B4A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB107.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exeDEMAFFE.exeDEM58C.exeDEM5B4A.exeDEMB107.exe

description	pid	process	target process
PID 684 wrote to memory of 2064	684	ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe	DEMAFFE.exe
PID 684 wrote to memory of 2064	684	ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe	DEMAFFE.exe
PID 684 wrote to memory of 2064	684	ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe	DEMAFFE.exe
PID 684 wrote to memory of 2064	684	ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe	DEMAFFE.exe
PID 2064 wrote to memory of 3004	2064	DEMAFFE.exe	DEM58C.exe
PID 2064 wrote to memory of 3004	2064	DEMAFFE.exe	DEM58C.exe
PID 2064 wrote to memory of 3004	2064	DEMAFFE.exe	DEM58C.exe
PID 2064 wrote to memory of 3004	2064	DEMAFFE.exe	DEM58C.exe
PID 3004 wrote to memory of 2700	3004	DEM58C.exe	DEM5B4A.exe
PID 3004 wrote to memory of 2700	3004	DEM58C.exe	DEM5B4A.exe
PID 3004 wrote to memory of 2700	3004	DEM58C.exe	DEM5B4A.exe
PID 3004 wrote to memory of 2700	3004	DEM58C.exe	DEM5B4A.exe
PID 2700 wrote to memory of 2000	2700	DEM5B4A.exe	DEMB107.exe
PID 2700 wrote to memory of 2000	2700	DEM5B4A.exe	DEMB107.exe
PID 2700 wrote to memory of 2000	2700	DEM5B4A.exe	DEMB107.exe
PID 2700 wrote to memory of 2000	2700	DEM5B4A.exe	DEMB107.exe
PID 2000 wrote to memory of 396	2000	DEMB107.exe	DEM686.exe
PID 2000 wrote to memory of 396	2000	DEMB107.exe	DEM686.exe
PID 2000 wrote to memory of 396	2000	DEMB107.exe	DEM686.exe
PID 2000 wrote to memory of 396	2000	DEMB107.exe	DEM686.exe

C:\Users\Admin\AppData\Local\Temp\ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe
"C:\Users\Admin\AppData\Local\Temp\ed7208afe648ce4679291635381e9568b01297f5710d0d1647c051804dbe696b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\DEMAFFE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAFFE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\DEM58C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM58C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\DEM5B4A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5B4A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\DEMB107.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB107.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\DEM686.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM686.exe"
        6⤵
        Executes dropped EXE
        
        PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM58C.exe

Filesize
20KB

MD5
79fa5468b41ffa19bb5d5cc041200a5b

SHA1
7195359a829082086f96346873f75f0a4213cc39

SHA256
af1ea42f37c70decdfaca2e991e56b3a12123bb309bf7ef28de92deff61e8db4

SHA512
48458cabd935c87ea5faad70f8716dc0933b152228d8c73b9060ba7c13f30d32b0ac501f103446e3e1e29ba187b6217e5f91aa39aae2a3350d4488492391dcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM686.exe

Filesize
20KB

MD5
217becdde2a5998a652e48ab06dab3d1

SHA1
d36dfee9856bf1caf14def10a439401cc3f571c0

SHA256
5ee7e879903f72f216a1b6ac717ea11e962a16d4ecf3924052b757b859c9fc58

SHA512
6558ef38904af63112e1b117f5a9eb513e6e2d1523426f5b88034c1589f4081132b5552e107f29ce0b2d1b6a776e7ab17fbfa2712c8e27661ee4eac1fce3f617

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5B4A.exe

Filesize
20KB

MD5
f8c18075c3084be4d3f37e693311fb5b

SHA1
014a9135e8cc5fce48c6f6b5ce4b0ef64583e5e7

SHA256
057bbe41295d98ff998192678c7c01c63f97fd422e94b8a359d2addf697fbd27

SHA512
6209d1931bf9a9affabd1bc36d0f8dc13e955e7db4372424a3a3682b60f9df69fd5b5378263fa53f03a2e06fd86a563be98f24e1bbb496fe5e3d763bc3e0f55a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFFE.exe

Filesize
20KB

MD5
b643f1b843d8f0e21cad91c4bf5f9fa6

SHA1
5060233b927bf494fec0c649c16b56730ff3c78c

SHA256
9643043b899bdea5908d854de776272b0d36054bc0d70b3734682074b776995b

SHA512
1a3f74a88b51d61528b2ec22605bf51bff6c2f3a0620a5c7b2973b5ed24ad201212648e66cdcb916892912d52d71fcc42d8729961dcc01d46aa0f9a5f2c914a3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB107.exe

Filesize
20KB

MD5
e571b04717db18dfa854c15c42bfbe4e

SHA1
9cc3cd5767112292ac2d7c67e397ccab67e9ea2c

SHA256
f772b6272bb16ced9a0e2a942e265282e645d9104736b44ea430987cf6c36373

SHA512
4c65fd918cd15af71923aff17735403f7590145fd2fc6e27fe6f3237f202bce9ab8bb3048c6e7702efee2e926d6fa292d0c5206485d9959df1a3d16a241d7423

Download Submit

Analysis

Sharing