911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9

General

Target

911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
Size

16KB
MD5

afcb33445de14f1df5c4ac93054b0f75
SHA1

e67c10c3b28fd6d8df1374f43b4874b62bbed0b5
SHA256

911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9
SHA512

7b858f7371705bce083c5cee32938a2006bcedad3399ff92ff023c22dd59014d8eada9ba8cffcae7b2a67c221af05bc07ceefb024411fb2b2b800397de901660
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx9Mi:hDXWipuE+K3/SSHgxmH7Mi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2420	DEMBE9E.exe
2448	DEM140D.exe
2760	DEM6A09.exe
1628	DEMC033.exe
2152	DEM1584.exe

Loads dropped DLL 5 IoCs

pid	Process
2404	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
2420	DEMBE9E.exe
2448	DEM140D.exe
2760	DEM6A09.exe
1628	DEMC033.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM140D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6A09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC033.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMBE9E.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2420	2404	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	32
PID 2404 wrote to memory of 2420	2404	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	32
PID 2404 wrote to memory of 2420	2404	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	32
PID 2404 wrote to memory of 2420	2404	911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe	32
PID 2420 wrote to memory of 2448	2420	DEMBE9E.exe	34
PID 2420 wrote to memory of 2448	2420	DEMBE9E.exe	34
PID 2420 wrote to memory of 2448	2420	DEMBE9E.exe	34
PID 2420 wrote to memory of 2448	2420	DEMBE9E.exe	34
PID 2448 wrote to memory of 2760	2448	DEM140D.exe	36
PID 2448 wrote to memory of 2760	2448	DEM140D.exe	36
PID 2448 wrote to memory of 2760	2448	DEM140D.exe	36
PID 2448 wrote to memory of 2760	2448	DEM140D.exe	36
PID 2760 wrote to memory of 1628	2760	DEM6A09.exe	38
PID 2760 wrote to memory of 1628	2760	DEM6A09.exe	38
PID 2760 wrote to memory of 1628	2760	DEM6A09.exe	38
PID 2760 wrote to memory of 1628	2760	DEM6A09.exe	38
PID 1628 wrote to memory of 2152	1628	DEMC033.exe	40
PID 1628 wrote to memory of 2152	1628	DEMC033.exe	40
PID 1628 wrote to memory of 2152	1628	DEMC033.exe	40
PID 1628 wrote to memory of 2152	1628	DEMC033.exe	40

C:\Users\Admin\AppData\Local\Temp\911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe
"C:\Users\Admin\AppData\Local\Temp\911816f9a7fba984dd6b83daec9d659e3560a83f7280a0085cf57d877159aeb9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\DEM140D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM140D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\DEM6A09.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6A09.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\DEMC033.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC033.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\DEM1584.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1584.exe"
        6⤵
        Executes dropped EXE
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM140D.exe

Filesize
16KB

MD5
9a1f5f3a13ae1f040e67e587d64e5b4f

SHA1
9b7476bbb3286efb9ec38fb1347c834e6a4a11da

SHA256
9a848b41b8a94523f1e20c32dfb4d761e62e2b7ecc91abba86b67867a4db3180

SHA512
9a5838750e035d405e91b22c4ea5ed61fb42c4906bc7210e8c8fc35bd5a9636cb158b9feec357e0e9a74369ad33928d5be212f29c87bf03c953336c8c6697753

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE9E.exe

Filesize
16KB

MD5
a4203c4097e8c34984339023f5ae0ccc

SHA1
6485f318942100fe592432c033f85e4c3d513890

SHA256
7f35ccecb9a2148c834d9d7b40531e7546e4ce76b8bdf8202a4bc778546006c9

SHA512
83d74b8d8903e67e98e3e253fda5a31f5a8d96af1ce938e031d57f0c77ba76b44fb22a9bbbc4689135cb317746641454909f9887bbe2dfb631c2180583a19f73

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1584.exe

Filesize
16KB

MD5
3ff2e91b22f6981ac6e9033b1f082e27

SHA1
ec080587cb029f0330949f5aec3a4cde810dd420

SHA256
d8ae20c0099b8cc02c0f27fe3ea9ef6b76a325635c04e3813fea3405adf7e05d

SHA512
4391a4067886cd440ea3b768ff41779efdc30c076089c21c19828471f302e1e70bce1b60cbe12053066ea61a4914f2b6d13885fb3c1caed9dba7dac58d43c10e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6A09.exe

Filesize
16KB

MD5
a0e273260dd9fde19628ad33fadc519d

SHA1
d6e023471e33a3e20be7edfabc09508d1f534dee

SHA256
a2ca29e8ba0e83f6aa120746ead2551ee1a547c631a60ee368cda675cceffa28

SHA512
e042b0f674f30b403c5946bb48177da804934adf9e50744ea44f8421b690f995799241ea183e0c463cfa5c88837461eea481cc085b04ad8f9749e837f542ef7b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC033.exe

Filesize
16KB

MD5
865a822d9bce80d7540c0ea40d275e17

SHA1
d23be4df5f1cf558ad47364b8f4426ae9d477240

SHA256
16d748440e980905ec2f415f65a02d95cac562bf8a4adf1ffa64d608ff2aa0f0

SHA512
0b8052fec4a6b80a2f2b349ecfe8a44f60966b48b627fc567dd6d78b950401a5fbe52400d9eaae6cc649079ea951ab7284c0a0c80e3cc73e2225b32f76a80909

Download Submit

Analysis

Sharing