e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4

General

Target

e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe
Size

16KB
MD5

46f1b2e1f14bb8c652fad6da155fda6d
SHA1

4adcbca6e285c01d44df1010ef2d4110dc0b8d6d
SHA256

e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4
SHA512

274ba0dd93244a75aa354f07beee7482f07b173e6a4618539850acb9eb4097aed58b6a783bd774ee2c0f8e23a83d2703e5fe722d99bda500c911bf1c93a0b6ba
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4j9nA:hDXWipuE+K3/SSHgxmHZj9nA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2956	DEM5734.exe
2208	DEMAEC6.exe
2368	DEM4E1.exe
2768	DEM5B2B.exe
548	DEMB1C2.exe

Loads dropped DLL 5 IoCs

pid	Process
2880	e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe
2956	DEM5734.exe
2208	DEMAEC6.exe
2368	DEM4E1.exe
2768	DEM5B2B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4E1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5B2B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5734.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAEC6.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2956	2880	e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe	31
PID 2880 wrote to memory of 2956	2880	e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe	31
PID 2880 wrote to memory of 2956	2880	e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe	31
PID 2880 wrote to memory of 2956	2880	e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe	31
PID 2956 wrote to memory of 2208	2956	DEM5734.exe	33
PID 2956 wrote to memory of 2208	2956	DEM5734.exe	33
PID 2956 wrote to memory of 2208	2956	DEM5734.exe	33
PID 2956 wrote to memory of 2208	2956	DEM5734.exe	33
PID 2208 wrote to memory of 2368	2208	DEMAEC6.exe	36
PID 2208 wrote to memory of 2368	2208	DEMAEC6.exe	36
PID 2208 wrote to memory of 2368	2208	DEMAEC6.exe	36
PID 2208 wrote to memory of 2368	2208	DEMAEC6.exe	36
PID 2368 wrote to memory of 2768	2368	DEM4E1.exe	38
PID 2368 wrote to memory of 2768	2368	DEM4E1.exe	38
PID 2368 wrote to memory of 2768	2368	DEM4E1.exe	38
PID 2368 wrote to memory of 2768	2368	DEM4E1.exe	38
PID 2768 wrote to memory of 548	2768	DEM5B2B.exe	40
PID 2768 wrote to memory of 548	2768	DEM5B2B.exe	40
PID 2768 wrote to memory of 548	2768	DEM5B2B.exe	40
PID 2768 wrote to memory of 548	2768	DEM5B2B.exe	40

C:\Users\Admin\AppData\Local\Temp\e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe
"C:\Users\Admin\AppData\Local\Temp\e8bc90e3b189f1c730cefb09956a999fc0d5787d29b6ce0b5b72fb247cfc31c4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\DEM5734.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5734.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\DEM4E1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4E1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\DEM5B2B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5B2B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\DEMB1C2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB1C2.exe"
        6⤵
        Executes dropped EXE
        
        PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAEC6.exe

Filesize
16KB

MD5
d23390b8a2ed194afdc58c9314e6feb3

SHA1
5e3b0624f23e307ff5b13153d23bb72d562f5784

SHA256
45c9da03cbf7cf2bc4a5db04af6fdc6f16797cbf8aca54c4751f8a5af895346f

SHA512
8197c26cb121043b71027da1cc8728c55d2ebd75f924485c5b8766a6b93115cb3add88b004be2d94562422ba1e670c5fcc9574e8ef9e58fa968bb8fa4b3c80e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1C2.exe

Filesize
16KB

MD5
75b59827fed3c60a50057783d9f3fbe7

SHA1
0d69369e9069af2d8324648dc2428b6894bcbde1

SHA256
8d1ee0e18ff16a45e7843df088a1679756811f3be9ec4d356bae5736913f2eb9

SHA512
66d1ec0b0dcb7f7d5e8409d2314678a5d2ef3539c9f8273c3fdefd94ae07af094d48039d8fc9d72426ad02f93c34c7fe383ff8e1d02300cb883fc63c89c614ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4E1.exe

Filesize
16KB

MD5
4ff3cce40f9b2ade44014a7adc17e79d

SHA1
cfc1f7cca90db2347bb0702f531ee55b6ea4eed7

SHA256
14fd31c48331765dd99eda26a130ced18ff5cb2ce6050b3917089814fa28ec49

SHA512
c1889d9c6736c5aee07869cb64e564eced4d1eea8f80ca9ca0ecd19b6007d78666967673866baf81951abb8403f96c5ca6f00e14dbfd390a84a14cd049577024

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5734.exe

Filesize
16KB

MD5
9d616ca7e20d8dd4653528682810b2af

SHA1
ad62a6261dec51c26308ccdf9231ba1f77e8ca45

SHA256
c249a63807dbf496d9a670fd9d6d92a5a74522ee61cbb379aa832edcdd9f7659

SHA512
77915c551d6b7361cb52d7c788698eb29d66fb272dc659f752ec573ca5a6c2018298c214b8d15c4b44687f56e9e916a65fb0e2f3b7a4f0abf5d15465d4130563

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5B2B.exe

Filesize
16KB

MD5
a81a2e5d63fc3124b2267285e4fcdca1

SHA1
f50378634332652f9f09ee9b52f2cecd407542b2

SHA256
2df7714c9040fa0ef0af81f723d51828bb5969837ea108c759edd31edd479328

SHA512
620018ce07849f82febdd01ba8f678bb39143f3b0c1b5afee0f5d6216a598163e2b11f6ceb90ab51578ab3441273029006ea8909f7d36861541ce20234b97874

Download Submit

Analysis

Sharing