eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183

General

Target

eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe
Size

20KB
MD5

0bfe5918d8510780af4d042381d1b749
SHA1

4730839306fcce64c07a2493ad176f2c2c922f0f
SHA256

eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183
SHA512

e77fd67966cbc17c42b2f45a6d513fa09d5558a50eb156f21d364d4b8297e3fdead965858ef8b5d3fc5d8004ac36be132194062ed47d2c2cce1053bdc031bc28
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4c:hDXWipuE+K3/SSHgxmHZc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2972	DEMC542.exe
2980	DEM1A83.exe
2680	DEM6F85.exe
1120	DEMC4D5.exe
812	DEM1A25.exe

Loads dropped DLL 5 IoCs

pid	Process
2424	eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe
2972	DEMC542.exe
2980	DEM1A83.exe
2680	DEM6F85.exe
1120	DEMC4D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC542.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1A83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6F85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC4D5.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2972	2424	eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe	32
PID 2424 wrote to memory of 2972	2424	eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe	32
PID 2424 wrote to memory of 2972	2424	eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe	32
PID 2424 wrote to memory of 2972	2424	eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe	32
PID 2972 wrote to memory of 2980	2972	DEMC542.exe	34
PID 2972 wrote to memory of 2980	2972	DEMC542.exe	34
PID 2972 wrote to memory of 2980	2972	DEMC542.exe	34
PID 2972 wrote to memory of 2980	2972	DEMC542.exe	34
PID 2980 wrote to memory of 2680	2980	DEM1A83.exe	36
PID 2980 wrote to memory of 2680	2980	DEM1A83.exe	36
PID 2980 wrote to memory of 2680	2980	DEM1A83.exe	36
PID 2980 wrote to memory of 2680	2980	DEM1A83.exe	36
PID 2680 wrote to memory of 1120	2680	DEM6F85.exe	38
PID 2680 wrote to memory of 1120	2680	DEM6F85.exe	38
PID 2680 wrote to memory of 1120	2680	DEM6F85.exe	38
PID 2680 wrote to memory of 1120	2680	DEM6F85.exe	38
PID 1120 wrote to memory of 812	1120	DEMC4D5.exe	40
PID 1120 wrote to memory of 812	1120	DEMC4D5.exe	40
PID 1120 wrote to memory of 812	1120	DEMC4D5.exe	40
PID 1120 wrote to memory of 812	1120	DEMC4D5.exe	40

C:\Users\Admin\AppData\Local\Temp\eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe
"C:\Users\Admin\AppData\Local\Temp\eddb8bd1b1a8b6235b086ad446993ceee2f2e8a38076f7120c0f0392ba04b183.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\DEMC542.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC542.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\DEM1A83.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1A83.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\DEM6F85.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6F85.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\DEMC4D5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC4D5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\DEM1A25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A25.exe"
        6⤵
        Executes dropped EXE
        
        PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1A83.exe

Filesize
20KB

MD5
5dada9698e413fa375606885521f9783

SHA1
18d523a1f72fcde5260333b8dd6d16272d4fe944

SHA256
ff6e2761894ed054a80849a96eb1c2c87c97f8f6f600b7391e23c7e47387d527

SHA512
69391f8527767bcd7f2707e609e1e318430f0c172248060cbc5c7eb266339616b453a4f9cba4889178de7f9b79d2955e29bdfcd836d324e1b137bfefb4c3f2ba

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A25.exe

Filesize
20KB

MD5
b73b93f8d2561ccc67750cde3747ab42

SHA1
e515c1b40b8f537a3ba661805989f3e6c3e4f6c0

SHA256
7834d78c59c836739233e3ea0c37758a4522cd75260305cefb217cc22417e724

SHA512
3d72e5076248c8adb1bcecd0441e2bd3af6607b26fbb79016aef2b325ae84fc118a11ab6fbb99db19763ce1544473573e880b0429ff4d988acacf270548fa48d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F85.exe

Filesize
20KB

MD5
b46a9dc73f8164e6f387b6580fd487be

SHA1
fbfb3e75feca1a24de07470c43c8217f6e27532f

SHA256
8528eb4657f7362f96247bff927beefa2c9b04df568949a34a6ab0d6629c1061

SHA512
d10e01139e2149e61c9fc7b7cf56b7a016edbcccf071936ecffeaa09eb808753ed6d6ca42cf7d0c0fd68f225b59bb51d921413b7547273db47ba0c55dd0d3d23

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC4D5.exe

Filesize
20KB

MD5
5ddee40a31744467e6b32a55090335ed

SHA1
2e66462bc55a254be8f8577ea6e1afa1e4b2078c

SHA256
b1136eb3c2d929b9849b1251c44454f573d0935ff7c4b1d398b6e7bbb4a83f02

SHA512
eae5f2d6d80f03965481279fd74f4ad76da960e8a21f97451b1233653d288e0606fa8e5f695dfd5844be4f14ce0ce600d7cb0503d1fdfce2ed04c682090ae394

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC542.exe

Filesize
20KB

MD5
a1a0f9e4403111e7872e47323eca226a

SHA1
a4539fab99554c642fe07a6c493d950d0417e37d

SHA256
b453539c15dfec2491b773bebcd724cda55d87973b3b102b1818e769c7cab3a4

SHA512
939b07c2432020b5555114c400902febedaf26d147bfed6a58e83eb634bc9a62052e6a7defba1dc24810c377282a38c4290f43bcfb8f4fd0fb8f07654422d6f6

Download Submit

Analysis

Sharing