7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430

General

Target

7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe
Size

16KB
MD5

dd10223a072bf12bae906c47aeb03dfc
SHA1

85d41057ea3e80381b2711e2735ac0f706b2ac4c
SHA256

7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430
SHA512

468293ccc2f428c3250acc4ea45b543de4ba9bca506fbe202d4d845a107786e674114b209121e25787f71a0cbb293c71393dc387aa487f55206e5018797805a4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYleJ:hDXWipuE+K3/SSHgxmlw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1552	DEMD2F8.exe
2884	DEM2961.exe
1352	DEM7EB1.exe
1732	DEMD4AD.exe
2820	DEM29EE.exe

Loads dropped DLL 5 IoCs

pid	Process
2376	7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe
1552	DEMD2F8.exe
2884	DEM2961.exe
1352	DEM7EB1.exe
1732	DEMD4AD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD2F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7EB1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD4AD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1552	2376	7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe	32
PID 2376 wrote to memory of 1552	2376	7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe	32
PID 2376 wrote to memory of 1552	2376	7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe	32
PID 2376 wrote to memory of 1552	2376	7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe	32
PID 1552 wrote to memory of 2884	1552	DEMD2F8.exe	34
PID 1552 wrote to memory of 2884	1552	DEMD2F8.exe	34
PID 1552 wrote to memory of 2884	1552	DEMD2F8.exe	34
PID 1552 wrote to memory of 2884	1552	DEMD2F8.exe	34
PID 2884 wrote to memory of 1352	2884	DEM2961.exe	36
PID 2884 wrote to memory of 1352	2884	DEM2961.exe	36
PID 2884 wrote to memory of 1352	2884	DEM2961.exe	36
PID 2884 wrote to memory of 1352	2884	DEM2961.exe	36
PID 1352 wrote to memory of 1732	1352	DEM7EB1.exe	38
PID 1352 wrote to memory of 1732	1352	DEM7EB1.exe	38
PID 1352 wrote to memory of 1732	1352	DEM7EB1.exe	38
PID 1352 wrote to memory of 1732	1352	DEM7EB1.exe	38
PID 1732 wrote to memory of 2820	1732	DEMD4AD.exe	41
PID 1732 wrote to memory of 2820	1732	DEMD4AD.exe	41
PID 1732 wrote to memory of 2820	1732	DEMD4AD.exe	41
PID 1732 wrote to memory of 2820	1732	DEMD4AD.exe	41

C:\Users\Admin\AppData\Local\Temp\7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe
"C:\Users\Admin\AppData\Local\Temp\7d8afc22aecc7e401c102ff6bafbd020e223392b328630baceb92e4c857be430.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\DEMD2F8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD2F8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\DEM2961.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2961.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\DEM7EB1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7EB1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\DEMD4AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4AD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Users\Admin\AppData\Local\Temp\DEM29EE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM29EE.exe"
        6⤵
        Executes dropped EXE
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2961.exe

Filesize
16KB

MD5
abf5a9457b12c9f1305406276108d459

SHA1
adbc8ca8c6b0eebf775055b58a605ca29c8c66fe

SHA256
f4a361df3ca8def70fc5bb5bf21d55706f094c733149f0402305a49d5a831055

SHA512
28d29c8ab3098205b376d737c1eba36f761cff25c64904f834f9e9dcdec7091201fe19e322d179645e5646e6c9bd0858e10ea69c0ae27767c06719666fcb6e02

Download Submit
\Users\Admin\AppData\Local\Temp\DEM29EE.exe

Filesize
16KB

MD5
1b423f3ae95e974f282f160fef864314

SHA1
f8871c695bc4c40426d576e6d3897a50cde561c4

SHA256
6a1a0537eccbde897bf4feea05636aed0ae23ba9f1ec7e73760f400001428b9a

SHA512
818e650cc73b2678d1bba2289e6f8ba7624f38fef0a1d34b3e44d20677e98c1e2ef17e233765b7492200270a802944b39a82753925a7706bc2c1f77ec87dc829

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7EB1.exe

Filesize
16KB

MD5
9b954c6958ddc3d48432fe321f936ebc

SHA1
f7136a8a75877faf4b46e0594e8c312ec86dce95

SHA256
cc86f48203842f3608c5b5f3d1bfcc186c15d37f6b975ffe570bb07529eb2073

SHA512
4c7ea8ffaaa13904f4a9cc6b892b9ae211c45b503c0875651c250c7e166d942e602447df893d6ae15fd05e2d6cd3124fb7575c6c9b3cdb3c21202b2e5f595169

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD2F8.exe

Filesize
16KB

MD5
c229e18733ab90edfb5780ade10b1c66

SHA1
3e20d3fb9a22d6084f679d7b14130b66145d0a65

SHA256
ed38875bb2d5d6d6505d51e6ac918b93c1acc839100d0e80e42604ecc06a3d88

SHA512
047a827d6432fa28232997343a01384b023673c10d4b9476051cd436d9b9ffc5d6e10a9690df8c6362c7fb6c78269caf2379e3221753edae423ca6a11699b41f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD4AD.exe

Filesize
16KB

MD5
02fd200a99b09fa7bd861b6ea9c20f79

SHA1
061f32bce294bea95b78ac802201e81df6290241

SHA256
103d190294d41d9c4d7048bcb04f86cd269af9f872c98055c042e47200fe53ab

SHA512
a5c548440d2e3cac5f0d3fb5d3b59cb9348d132e6928a27dac3bde032b4580f03a9cc0e1d79b769f83285a0d516a27c54e1d2aba88c6c1d2839a5fcf66a89d9b

Download Submit

Analysis

Sharing