6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082

General

Target

6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
Size

20KB
MD5

37183d88788877845452eae449b3cdc0
SHA1

9dca424788a0670017ae4a69ef545697364a2789
SHA256

6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082
SHA512

be201b602003ad4485b32f569cbe8351c77f6fdcb2e2b73c3df827305dc483cd86440374abafae768077f063e4a6c3e28098cd1458d824f773a72ae7eae8f144
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4ogeX:hDXWipuE+K3/SSHgxmHZoBX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2764	DEM2C4E.exe
3012	DEM81FC.exe
2220	DEMD71D.exe
592	DEM2CEA.exe
2144	DEM81FD.exe

Loads dropped DLL 5 IoCs

pid	Process
2676	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
2764	DEM2C4E.exe
3012	DEM81FC.exe
2220	DEMD71D.exe
592	DEM2CEA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD71D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2CEA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2C4E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM81FC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2764	2676	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	31
PID 2676 wrote to memory of 2764	2676	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	31
PID 2676 wrote to memory of 2764	2676	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	31
PID 2676 wrote to memory of 2764	2676	6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe	31
PID 2764 wrote to memory of 3012	2764	DEM2C4E.exe	33
PID 2764 wrote to memory of 3012	2764	DEM2C4E.exe	33
PID 2764 wrote to memory of 3012	2764	DEM2C4E.exe	33
PID 2764 wrote to memory of 3012	2764	DEM2C4E.exe	33
PID 3012 wrote to memory of 2220	3012	DEM81FC.exe	35
PID 3012 wrote to memory of 2220	3012	DEM81FC.exe	35
PID 3012 wrote to memory of 2220	3012	DEM81FC.exe	35
PID 3012 wrote to memory of 2220	3012	DEM81FC.exe	35
PID 2220 wrote to memory of 592	2220	DEMD71D.exe	37
PID 2220 wrote to memory of 592	2220	DEMD71D.exe	37
PID 2220 wrote to memory of 592	2220	DEMD71D.exe	37
PID 2220 wrote to memory of 592	2220	DEMD71D.exe	37
PID 592 wrote to memory of 2144	592	DEM2CEA.exe	39
PID 592 wrote to memory of 2144	592	DEM2CEA.exe	39
PID 592 wrote to memory of 2144	592	DEM2CEA.exe	39
PID 592 wrote to memory of 2144	592	DEM2CEA.exe	39

C:\Users\Admin\AppData\Local\Temp\6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe
"C:\Users\Admin\AppData\Local\Temp\6d44e4e21195001a32c2a89729489f4578716baf3a238aa73228b282b88bd082.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\DEM2C4E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2C4E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\DEMD71D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD71D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\DEM2CEA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2CEA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\Users\Admin\AppData\Local\Temp\DEM81FD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81FD.exe"
        6⤵
        Executes dropped EXE
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2C4E.exe

Filesize
20KB

MD5
20f83db8fd450a575856be0af397c7ff

SHA1
ed3910b44f85dd3542ac9f8629f2b64c71488b5f

SHA256
1eb9d4bec4aa7d73eff07ce8618d1af16985bcfed1f1739ad37b9aa20955f782

SHA512
faea9a455f09ebae24eb7af3784a85cfd9a5dd7ee07699d466af2fd3796063251c7497b914b8cfa3b7a2bfa8ad8ca8153899922316f67161b24a14b8a1a58d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM2CEA.exe

Filesize
20KB

MD5
8040ad00e37342c341e8827940261850

SHA1
84320928cfd6c371b111d2ec196db4274c795a9c

SHA256
7910d77aca7e388554ad4aa075bc5997a2150fb5df134bc222d03f4c862049c7

SHA512
657acb115507a120f12ebb21b63d5e63f0b1556763bd4d8006ab116c3b29a43fafdc57531d876343d2e00eb5241a4ab210f97ae3942eae38337108a6b925da28

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81FC.exe

Filesize
20KB

MD5
91ab17afc6d46c84202832734b722c18

SHA1
937206f9c6cfcb30542011ea7b39bd2adaa80f64

SHA256
63606aff676d637e3d11f2160e2a87918246313d9b96300600097362c52178ee

SHA512
a350ba04942f2fef6cc911553cefd9ce39fa3748cc2aad047ce46dd5685179b14a19ed7112d44bf5e4d2d7cc6578f75a9323d223c170c0ef7663b956ab0a3f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81FD.exe

Filesize
20KB

MD5
f4a83dfc03174351ea0c848230e8568d

SHA1
b22ceca16d9d0427ff9b36b5a44d1aaae805ec7b

SHA256
21435d93b67123873a2d693ce7e794a4fb1f01c8708dee0facb8e13b6a3d043b

SHA512
f24598408db633b03f11b32861d809504b401d820548f29e9c57824346c01a1cfad50baf382124bc317c6b12e42bc6c0dd09951b29194b5b3dc4ca71a1ab608e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD71D.exe

Filesize
20KB

MD5
d068146e3563d904fc211af47456d815

SHA1
ea27b28ba60120e2a5ec2e1ce1f68adbb5b10fcc

SHA256
cf600755337864490d9a5cf9f25419c2bd87008da6ca0d91c2e07584f6516f87

SHA512
c01bbe8cf5971ba58e45eea6e5ba9a324b5232158835d22d85af6d4fa7ddd345d6add1aae71382fadd0d8dbc3220e4b80c90779ac0ad996db5c36c332fba0072

Download Submit

Analysis

Sharing