8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421

General

Target

8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
Size

20KB
MD5

39dcd3c52fe53af48b3133c9286a3275
SHA1

586d1efe24f1274b12a45768459b0f77e46b3360
SHA256

8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421
SHA512

ea8272b408a413d279b0f833ed3ddbcfe3234e63d810a832636bd2d14245eb50dfca0372e66b07137c6717f9dc314e904b3edb0290c2c62802b2adff6efd289f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4O:hDXWipuE+K3/SSHgxmHZO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2856	DEM7262.exe
2828	DEMC9A6.exe
268	DEM1F82.exe
576	DEM755F.exe
1704	DEMCBD7.exe

Loads dropped DLL 5 IoCs

pid	Process
2304	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
2856	DEM7262.exe
2828	DEMC9A6.exe
268	DEM1F82.exe
576	DEM755F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC9A6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1F82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM755F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2856	2304	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	30
PID 2304 wrote to memory of 2856	2304	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	30
PID 2304 wrote to memory of 2856	2304	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	30
PID 2304 wrote to memory of 2856	2304	8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe	30
PID 2856 wrote to memory of 2828	2856	DEM7262.exe	32
PID 2856 wrote to memory of 2828	2856	DEM7262.exe	32
PID 2856 wrote to memory of 2828	2856	DEM7262.exe	32
PID 2856 wrote to memory of 2828	2856	DEM7262.exe	32
PID 2828 wrote to memory of 268	2828	DEMC9A6.exe	34
PID 2828 wrote to memory of 268	2828	DEMC9A6.exe	34
PID 2828 wrote to memory of 268	2828	DEMC9A6.exe	34
PID 2828 wrote to memory of 268	2828	DEMC9A6.exe	34
PID 268 wrote to memory of 576	268	DEM1F82.exe	36
PID 268 wrote to memory of 576	268	DEM1F82.exe	36
PID 268 wrote to memory of 576	268	DEM1F82.exe	36
PID 268 wrote to memory of 576	268	DEM1F82.exe	36
PID 576 wrote to memory of 1704	576	DEM755F.exe	38
PID 576 wrote to memory of 1704	576	DEM755F.exe	38
PID 576 wrote to memory of 1704	576	DEM755F.exe	38
PID 576 wrote to memory of 1704	576	DEM755F.exe	38

C:\Users\Admin\AppData\Local\Temp\8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe
"C:\Users\Admin\AppData\Local\Temp\8ed40775c48cd5ded292bb9f9bd6ad16bc157a52a1b5896628313f2d2f8aa421.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\DEM7262.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7262.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\DEMC9A6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC9A6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\DEM1F82.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1F82.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\DEM755F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM755F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Users\Admin\AppData\Local\Temp\DEMCBD7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCBD7.exe"
        6⤵
        Executes dropped EXE
        
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMC9A6.exe

Filesize
20KB

MD5
3ab91d8ea91f38b11859cf55eacd0802

SHA1
1e36ef45c0e1be39697d7b49095c0b7740211ec4

SHA256
b8936343b1bc2f9af75c192ee78c83cd28129fb9c405cf7086d119f87b96fe22

SHA512
e1867f74aaf6502c00d37cd5b32cd6cb41921b8b0c551c4d127ced69b109a11db5ce0864c08f02d408415ce480b424118b6eda9c17ea02dd9f9049c08bc0a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCBD7.exe

Filesize
20KB

MD5
dfb792d98872e3488c727b0f3f0a9ed1

SHA1
571163e6f66e140a0f0fb427b140d0c44d6bc07b

SHA256
71630b841bb3cb2e723241fd7c97cc24c7c9bd7e817bfa241e29a65ca82b5cab

SHA512
46ba5122309d13dc0e951a4abe663577f50fe25af9be888b922e244969d2e182aaeab9335fdf54d3318000f39982ffabd55926982559903bc9fa36d6a77552d3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1F82.exe

Filesize
20KB

MD5
8249d311c1fec476c9a82d58f6ebf25e

SHA1
091c427ab60cd669ec84c22728e39d0d51a54485

SHA256
535ffe796323aacb05dfe1f3314c332fff84163da8305b0e46803d901981feb4

SHA512
b0aadd8c62d0485064d3536dd0b60885a09c6d52ff655e4cf5e016cb893ede03b6e08d9892187a3ac95128a582add742578f1e269cd20834b9e21400ed2f282a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7262.exe

Filesize
20KB

MD5
7dbfe0ee95ea2f1c53829ff6a15c1e88

SHA1
80c245703004636028364c83a591f1284aee826e

SHA256
c72fe9792b4c597d51048ec83ec1850d87dd90bde40784ce2380f9b7a98e0369

SHA512
c28cbe14c326a5281321af62e2bee09c5bc34aa1c096d32d5ab9a11077d27600cfc46c11cb1581b78c1ba5310996371e918fcdb60385562155737961a07d858d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM755F.exe

Filesize
20KB

MD5
4007f7ba17ec843829ff83f7275c27c1

SHA1
0ffa747efeacc0703d3423fb887955fc1ff0280c

SHA256
2fa800b3171eb6f463e3c1bfd1c9c2e3e8b07918a3a246e9dd58612f74474545

SHA512
d0980b207386f631ef2aabce8ff2444d25c9ace9309e59ec86570335b9b6d909accc2a8234b3a234e2f9ac02f4f148eda0758f2568f34f1ae912fb7279ab8049

Download Submit

Analysis

Sharing