cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19

General

Target

cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
Size

15KB
MD5

6629599ca10416aa4d3d11c90e5d484c
SHA1

b7a1e5da97891bd15e73293961ab6107a4233cc1
SHA256

cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19
SHA512

4aa6c00250a90bd20e34cdebb44f5dca7f6d4d0199947b1db7fffac63a3084e25c80bf7ce7884cda29373c01c83e6e664adbe29537b0bddfd80c4f92c29543a0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh5RAnCL:hDXWipuE+K3/SSHgxfL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2972	DEM2C1F.exe
3064	DEM8160.exe
1696	DEMD6CF.exe
1664	DEM2BF0.exe
264	DEM8150.exe

Loads dropped DLL 5 IoCs

pid	Process
1072	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
2972	DEM2C1F.exe
3064	DEM8160.exe
1696	DEMD6CF.exe
1664	DEM2BF0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD6CF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2BF0.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2972	1072	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	31
PID 1072 wrote to memory of 2972	1072	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	31
PID 1072 wrote to memory of 2972	1072	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	31
PID 1072 wrote to memory of 2972	1072	cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe	31
PID 2972 wrote to memory of 3064	2972	DEM2C1F.exe	33
PID 2972 wrote to memory of 3064	2972	DEM2C1F.exe	33
PID 2972 wrote to memory of 3064	2972	DEM2C1F.exe	33
PID 2972 wrote to memory of 3064	2972	DEM2C1F.exe	33
PID 3064 wrote to memory of 1696	3064	DEM8160.exe	36
PID 3064 wrote to memory of 1696	3064	DEM8160.exe	36
PID 3064 wrote to memory of 1696	3064	DEM8160.exe	36
PID 3064 wrote to memory of 1696	3064	DEM8160.exe	36
PID 1696 wrote to memory of 1664	1696	DEMD6CF.exe	38
PID 1696 wrote to memory of 1664	1696	DEMD6CF.exe	38
PID 1696 wrote to memory of 1664	1696	DEMD6CF.exe	38
PID 1696 wrote to memory of 1664	1696	DEMD6CF.exe	38
PID 1664 wrote to memory of 264	1664	DEM2BF0.exe	40
PID 1664 wrote to memory of 264	1664	DEM2BF0.exe	40
PID 1664 wrote to memory of 264	1664	DEM2BF0.exe	40
PID 1664 wrote to memory of 264	1664	DEM2BF0.exe	40

C:\Users\Admin\AppData\Local\Temp\cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe
"C:\Users\Admin\AppData\Local\Temp\cff2be4fc8eb43dc054836ae6c7c73ded1250a05e110a4e41e1e80dd3523fb19.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\DEM2C1F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2C1F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\DEM8160.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8160.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\DEMD6CF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD6CF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\DEM2BF0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2BF0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\DEM8150.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8150.exe"
        6⤵
        Executes dropped EXE
        
        PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C1F.exe

Filesize
15KB

MD5
7c6a1cc39c4034e0269157833c75878e

SHA1
bc16f2873355dd74c2cc43489d7915bfa8240fe5

SHA256
9100519e02aabb1bb79b43947eae059d06a2744cb98d18fbfca4b4cae4cba3e6

SHA512
75d1af76e7d1920f877f1a722915887023d86b21dd6c123ef66944c272d36ae9f3e935821e9971eaf775018541d4b111ffddf37300cc04f19df7d1dab172aec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8160.exe

Filesize
15KB

MD5
348d858a93d9428cbfd6845e18b056e1

SHA1
fad0813ff5a827e51ae6ab1868b4f16e190e59f7

SHA256
3c20dc26775be23bc7c35d851edd38003aa205214b92f101bddc5c0b97013980

SHA512
a6943742fa2a2ee198b5ef3ce7d16cb0722cb7f4a92a46a702677d16835953f396bc09d0b51709468f57c5ecb77710f7a50ecdb4042c53541e8ebd6a57372f47

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2BF0.exe

Filesize
15KB

MD5
4aabfd9b7bad452e646516ee8a9f7c14

SHA1
f1967720b961852dc0ab8207824c2e02cd3f8620

SHA256
631efd9dc8df8fc685356a6e9069400e9696d65af02aecd04d85eb3226c744cf

SHA512
0b6ac90a8347259e0fa6a4a4455a8a3f3ecc6a750c4b18c1dff5f15c545c3aba4dc224334b0f41aa46fa5a2c4cc73b7627e8d801a9aa738fa4c41da3e1535435

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8150.exe

Filesize
15KB

MD5
5d0e58f90080aa68e2368202be7890b6

SHA1
009d7a0869d4530624e8e1ed362b1b99d995f9f3

SHA256
0872222d75cc4c53d6319ced96870fd9ddd5f868a3c64acb00da3c9bc7aa3c0f

SHA512
343be1369c55a18b82779dfa303eeac0ad10f2b71a0b0a385a376d4e8923fe8de8bee3362df6c3a01a12f527848bdf8ae8f4868660dfec4317a5045a62b5ee69

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD6CF.exe

Filesize
15KB

MD5
99c8ba7f28466d3cf0f7855cfaa15ed4

SHA1
50018e38c49038bdd94635f06a277df367082d6f

SHA256
cd62aba0cbb863874a563602c3cc4bcc562ee8f1fdfbbb5af5376b451df90da0

SHA512
a42b5cd9652627ef35e9987e532c75f2b8c5a6845cfbf3fed69eb93a1745087e694524d5ad9df5ee14a7bffef309af6a024f0e3229f3c844e86b170e59762210

Download Submit

Analysis

Sharing