2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910

General

Target

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
Size

14KB
MD5

e7c70672e3b39c7777473504230b91a2
SHA1

5c178c7473200dba16b4ee4fe614392239e9c1f0
SHA256

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910
SHA512

0f688bdd21e01b3cfcfa2b784f12c968c4e1d5c7b5e934bae0ef0a58727fe406052b4c9f17eda66b3c983a9922c009480c7c71df98211502facdccbc38ea4062
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhhiiTz:hDXWipuE+K3/SSHgxLiiTz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

DEMCF41.exeDEM24B0.exe

pid	Process
2000	DEMCF41.exe
2884	DEM24B0.exe

Loads dropped DLL 2 IoCs

Processes:

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exeDEMCF41.exe

pid	Process
2092	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
2000	DEMCF41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exeDEMCF41.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCF41.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exeDEMCF41.exe

description	pid	Process	procid_target
PID 2092 wrote to memory of 2000	2092	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	32
PID 2092 wrote to memory of 2000	2092	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	32
PID 2092 wrote to memory of 2000	2092	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	32
PID 2092 wrote to memory of 2000	2092	2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe	32
PID 2000 wrote to memory of 2884	2000	DEMCF41.exe	34
PID 2000 wrote to memory of 2884	2000	DEMCF41.exe	34
PID 2000 wrote to memory of 2884	2000	DEMCF41.exe	34
PID 2000 wrote to memory of 2884	2000	DEMCF41.exe	34

C:\Users\Admin\AppData\Local\Temp\2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe
"C:\Users\Admin\AppData\Local\Temp\2d95dc55f6e149e018d4d1438c54e39797ff3ea6f36b1e262864f68262c2f910.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\DEMCF41.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCF41.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\DEM24B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM24B0.exe"
    3⤵
    - Executes dropped EXE
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\DEM7A8D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7A8D.exe"
      4⤵
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\DEMCF8F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF8F.exe"
        5⤵
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\DEM24EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM24EE.exe"
        6⤵
        
        PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM24B0.exe

Filesize
14KB

MD5
24e2a9dc8c43665d137b75628cbc5dee

SHA1
3d80a7a7bfbcc257c5b6094b9fbc70818924329a

SHA256
b46bdcac462d317aa6610c4787e9f1a7631077bf5bd574137c559ec362b07d74

SHA512
72788bcf8253bc14a201f66b52ccd49008964a63881a770410243e06a312c65e0016951dd8455bed563ce23e61e1c90242a3b339b308bdd66ef3a1d4850b67e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM24EE.exe

Filesize
14KB

MD5
5338e21e61d03f4d65e5b2b0f9722dba

SHA1
7e7a056513f8e81d9d28f6c4c8fd65f6f02cc551

SHA256
1a5484023ae9c2817565498dc850be9d28df3c4d9ad67b0735ceafbca440ae5b

SHA512
13840ad5f4fb6b86de1a8e1de452b3ec24fa9b49539ed2e1f28068f5856b9a3f7781ab24663eee7bf9bd6035437204dae4174374cf4f421f48202485120c8188

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7A8D.exe

Filesize
14KB

MD5
75d3238274b82f202647d68ee6b3bbd2

SHA1
b0ff020b6efeee60e4d7f85da9c0705d0a91783d

SHA256
4d09403d1719f17fc3c9a9e3050400596414f9e25973f67657c9466db4871dc6

SHA512
330e6de81268df467fa4d68705b8e5f29cc3fa659bc3757a7470bffa3eaec2cb3b819c8603e6d12a28221e0d449867167dbc11a65460b7858cb079df59eadb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCF8F.exe

Filesize
14KB

MD5
dbde1304064a48aef7158de3badd19e8

SHA1
9e33e85bf8bfbda3ff0e69f83ac4ecaacd0a1e1a

SHA256
187e39e89ed7c270fe392b8f9f721f4292025afd5a6b9ea26a2c4320d990fc80

SHA512
1fa7caca24b9dafd2b0c358fa69f1abd85c37738541019c71b3f673fba441379d0c32d6f2c51a42190ca2881db1393d7c7a871968e45c851f536629341e8d652

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCF41.exe

Filesize
14KB

MD5
cc25f8b116dbe78ae290805474880f33

SHA1
5eaf4a6ed77ef6a606144b3f6fbbbd5cddbb99c6

SHA256
ee9ac329b84081e81ed73b713e596670e0ccdc716c3c0bd24a00ff649e033dff

SHA512
4f88da2da1221355199a9ceab06a2999934af8b5f9b7b4b52826282a57afd7b3c3bbea613e00c58cf1d914dcfabacaccddee6e29e2ceb89478580c2564423824

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads