0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f

General

Target

0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe
Size

20KB
MD5

ca046b72871ca2517a5f53e65500e8cb
SHA1

fc78d94d5deea938aad596bf91e345c3213e061f
SHA256

0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f
SHA512

2befe87ebb28fb391b4077e036b083e1594b1f486d6a7300c92b450f074c1d39c9ca5106e6576d833a09923a9c6d5b681496bd6e5ee968d06a67fb695450bc6c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4Q:hDXWipuE+K3/SSHgxmHZQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2944	DEM31E9.exe
2996	DEM8862.exe
2028	DEMDE3E.exe
2320	DEM3488.exe
2568	DEM8A74.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe
2944	DEM31E9.exe
2996	DEM8862.exe
2028	DEMDE3E.exe
2320	DEM3488.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM31E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8862.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMDE3E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3488.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2944	2380	0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe	30
PID 2380 wrote to memory of 2944	2380	0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe	30
PID 2380 wrote to memory of 2944	2380	0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe	30
PID 2380 wrote to memory of 2944	2380	0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe	30
PID 2944 wrote to memory of 2996	2944	DEM31E9.exe	32
PID 2944 wrote to memory of 2996	2944	DEM31E9.exe	32
PID 2944 wrote to memory of 2996	2944	DEM31E9.exe	32
PID 2944 wrote to memory of 2996	2944	DEM31E9.exe	32
PID 2996 wrote to memory of 2028	2996	DEM8862.exe	34
PID 2996 wrote to memory of 2028	2996	DEM8862.exe	34
PID 2996 wrote to memory of 2028	2996	DEM8862.exe	34
PID 2996 wrote to memory of 2028	2996	DEM8862.exe	34
PID 2028 wrote to memory of 2320	2028	DEMDE3E.exe	36
PID 2028 wrote to memory of 2320	2028	DEMDE3E.exe	36
PID 2028 wrote to memory of 2320	2028	DEMDE3E.exe	36
PID 2028 wrote to memory of 2320	2028	DEMDE3E.exe	36
PID 2320 wrote to memory of 2568	2320	DEM3488.exe	38
PID 2320 wrote to memory of 2568	2320	DEM3488.exe	38
PID 2320 wrote to memory of 2568	2320	DEM3488.exe	38
PID 2320 wrote to memory of 2568	2320	DEM3488.exe	38

C:\Users\Admin\AppData\Local\Temp\0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe
"C:\Users\Admin\AppData\Local\Temp\0579e882cb23aa618bf52279b7ab3a873bd4a2b4a480b87b9ffb9e2a7a06cb0f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\DEM31E9.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM31E9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\DEM8862.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8862.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\DEMDE3E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDE3E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\DEM3488.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3488.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\DEM8A74.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A74.exe"
        6⤵
        Executes dropped EXE
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM31E9.exe

Filesize
20KB

MD5
264868d55716b7ae8af9b9049a78726b

SHA1
3e12611f2f9c3d46a9effa6ef47aa43638145a8f

SHA256
90b781c760bd7ce9de376f95417833ebbbd9aabf002d0f35d7600415800ecf85

SHA512
b4d89013c043f8dc0254fa39441531189a48ab31d524520601596040ab7edff8175746745172955d2c7473eb5862f306420fd669b7eae18cdac5edbcaf024a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3488.exe

Filesize
20KB

MD5
c9a17021a51a5fae0787ec65a619b18f

SHA1
d42d134decb399191466d1e70d0f2c732b2bd779

SHA256
1c2a5cad6444b0a15249e6728db83f055d6caa8b00162da41aa6d22a6a90c47d

SHA512
cc7d42a2fecf249bea016804a876de28a482d47481e7face1829320fbc32c8692d19d53e957d1adcd15aad0968479c60e8507912bf7bb0072b7f6a44c721dcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8862.exe

Filesize
20KB

MD5
48063fbc40bf8b991da4ccc76366c9b9

SHA1
d9af880ca84926433305675d8c1ba8694cf7b57f

SHA256
e342a4269b2095bad84c4c62e9d0a7f19e787d3693db2df8a58d1c61079f7562

SHA512
250708b9a9cbec2f1113082ba41f28803c845ca52adab8e321abbbe5a99332faf478d059e00d4005937a2d14986c3fe18dd8f847417f4c4d5907db1c70377579

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8A74.exe

Filesize
20KB

MD5
a87ca9e2479e52cf87fc150ed8c23348

SHA1
52779cfea798b284faa0fff9e5b3cf6ae8e2fe78

SHA256
e085d0965ffc221a58c8bab944bf512781c407ff2154db1484fb1347eed7cbf7

SHA512
132971dffd3390a4f731f12ee38f59f42c048402a4d9206e4a5448444df74739d1005a996f07710b08176200f6ca0823f4836762a0ec59b871cbd2d158fb994d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDE3E.exe

Filesize
20KB

MD5
36e36dcc0ca82e08140c11af3e1fe977

SHA1
e9d8fa9261b43f1343904088ead5593b0333d8ef

SHA256
3a0ce0c5d3f74f382b0482229b5934d1cedfcaf10996557d44c39db0e2a9e1e8

SHA512
c7d441cd12e361b6e21ddc0e288f67cf42de9f99b0dd1768e6cceca3ff0982c8d8926eb01aff77ee47a7da139f983f8fd808e2b1f3ad82db40f08329e0eb9b77

Download Submit

Analysis

Sharing