ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc

General

Target

ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
Size

16KB
MD5

983515418035e4187a24b29bd92b6350
SHA1

2e0080c0d5bca7e30d57af5349032d30c57112c8
SHA256

ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc
SHA512

9e740ede70e6ea0334c83be6e457f9df7c035f2c04cec093deb600f61c1d5abd27eec27d7a82cd4625f99303c8e0eeaa18e9ac4125d3e50dafbb2f364f2910ea
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh3T:hDXWipuE+K3/SSHgxV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2204	DEMBCAB.exe
2936	DEM1239.exe
2720	DEM677A.exe
1440	DEMBD47.exe
1824	DEM12D5.exe

Loads dropped DLL 5 IoCs

pid	Process
2940	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
2204	DEMBCAB.exe
2936	DEM1239.exe
2720	DEM677A.exe
1440	DEMBD47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBCAB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1239.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM677A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBD47.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2204	2940	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	32
PID 2940 wrote to memory of 2204	2940	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	32
PID 2940 wrote to memory of 2204	2940	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	32
PID 2940 wrote to memory of 2204	2940	ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe	32
PID 2204 wrote to memory of 2936	2204	DEMBCAB.exe	34
PID 2204 wrote to memory of 2936	2204	DEMBCAB.exe	34
PID 2204 wrote to memory of 2936	2204	DEMBCAB.exe	34
PID 2204 wrote to memory of 2936	2204	DEMBCAB.exe	34
PID 2936 wrote to memory of 2720	2936	DEM1239.exe	36
PID 2936 wrote to memory of 2720	2936	DEM1239.exe	36
PID 2936 wrote to memory of 2720	2936	DEM1239.exe	36
PID 2936 wrote to memory of 2720	2936	DEM1239.exe	36
PID 2720 wrote to memory of 1440	2720	DEM677A.exe	38
PID 2720 wrote to memory of 1440	2720	DEM677A.exe	38
PID 2720 wrote to memory of 1440	2720	DEM677A.exe	38
PID 2720 wrote to memory of 1440	2720	DEM677A.exe	38
PID 1440 wrote to memory of 1824	1440	DEMBD47.exe	40
PID 1440 wrote to memory of 1824	1440	DEMBD47.exe	40
PID 1440 wrote to memory of 1824	1440	DEMBD47.exe	40
PID 1440 wrote to memory of 1824	1440	DEMBD47.exe	40

C:\Users\Admin\AppData\Local\Temp\ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe
"C:\Users\Admin\AppData\Local\Temp\ed73e9aec722ffa07bec3c1bf5401ebd05896a8d4e4ddbf60e037f4a94f6b2bc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\DEMBCAB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBCAB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\DEM1239.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1239.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\DEM677A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM677A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\DEMBD47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD47.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\DEM12D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM12D5.exe"
        6⤵
        Executes dropped EXE
        
        PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1239.exe

Filesize
16KB

MD5
f4250c597ac0e34306aa032c7fe8e87e

SHA1
0d15d29ba2dea6efe2c2ff3834655fe3d3d7bf43

SHA256
e61542fb340486866509944d72603ea3a8c026d85800bcb3d22f8a895f32e30b

SHA512
eb07048620bc942e1b58e50febf17005d7cdf894898741f194afe797882e1db4e968446f1759d30db927f9d4893c01f868264bc013c62404b5d0bda1a196caa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM12D5.exe

Filesize
16KB

MD5
5c36dae524ad9adee27018847f4c9951

SHA1
75aa5c3f59a0240c23e33b60733c4c224d9764c6

SHA256
fa2866985858d9bece2e2fb25a83291f3d82c78672268413bcec90f7bdad1bd9

SHA512
e43f27b3e0fe480aea627f2c34056eb7120dc7fae931bc760f516763ac5f1eedcc487413090feb174f1b9564cc0f0dedb0ba3b1b1b09d3a9ea52cb867828a964

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM677A.exe

Filesize
16KB

MD5
a114c296c861c8444e3cd4ff55c06073

SHA1
b8587f01390859d325f50b6c6d1eec1981e2b994

SHA256
06d8d8e0d04d02b302783a9c4b791538efcebfe982e3f54e15c99f9fde51b4c2

SHA512
a319b84e1c4e777dc0416ba5b0b2aa7bdf75c2e258ad755080cb8e5c72da52ed9de4214608d8ba1da18845dbc36bf3841d3d7b55cdd7236b7620e475bdc37891

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCAB.exe

Filesize
16KB

MD5
60123e348dae699121ee8380e537ec2b

SHA1
6ed814dee781f1dcb03cff7f0d883524c8c39cef

SHA256
0018ebd7242d197bb156fa0ade29671dca44ee94c146e462a30bf555cd32ac20

SHA512
6e6f5ad6babf5e775ce5dd1b7a43a7c63b3788c7c15742f2c5bde93710f391f5b512f1edcce90b13ea46f4e096bd69b6a7d3470f06cd63297c029e0c9847d2ca

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD47.exe

Filesize
16KB

MD5
1fc02a8ce21bd5656407ff628463842b

SHA1
fd2bc6b55ed697efef0d9c8674c6d714a6cf0ba3

SHA256
c2469462aa327622d6a1750e058d8ae1632e95415c9623547c6e083dc730dcd3

SHA512
15074be936f6f0e985ac44e60f3701f32b296e4e31d5b6897ea20ff0b47acaef083e72d8895879ab4164e216e1539c707072eafc0ff013a0beffe9ac1bd64116

Download Submit

Analysis

Sharing