4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026

General

Target

4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe
Size

15KB
MD5

19f18ab10754932bba68ab53cd71d16b
SHA1

36661fa85cbcb93a3bc8fdd9441a2f52995d1d99
SHA256

4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026
SHA512

c88fbb06014414037e4793a41e2a94782c5c44768ff00f0a334b66bcce6753961550539a43dad8d18ced04b24a9f8ca24fff57d15b55941b02ae3099c3271a63
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBjM:hDXWipuE+K3/SSHgxlFBg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2300	DEMD356.exe
2144	DEM2961.exe
2640	DEM7EE0.exe
1604	DEMD4FB.exe
1924	DEM2A5B.exe

Loads dropped DLL 5 IoCs

pid	Process
2308	4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe
2300	DEMD356.exe
2144	DEM2961.exe
2640	DEM7EE0.exe
1604	DEMD4FB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM7EE0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD4FB.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2300	2308	4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe	32
PID 2308 wrote to memory of 2300	2308	4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe	32
PID 2308 wrote to memory of 2300	2308	4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe	32
PID 2308 wrote to memory of 2300	2308	4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe	32
PID 2300 wrote to memory of 2144	2300	DEMD356.exe	34
PID 2300 wrote to memory of 2144	2300	DEMD356.exe	34
PID 2300 wrote to memory of 2144	2300	DEMD356.exe	34
PID 2300 wrote to memory of 2144	2300	DEMD356.exe	34
PID 2144 wrote to memory of 2640	2144	DEM2961.exe	36
PID 2144 wrote to memory of 2640	2144	DEM2961.exe	36
PID 2144 wrote to memory of 2640	2144	DEM2961.exe	36
PID 2144 wrote to memory of 2640	2144	DEM2961.exe	36
PID 2640 wrote to memory of 1604	2640	DEM7EE0.exe	39
PID 2640 wrote to memory of 1604	2640	DEM7EE0.exe	39
PID 2640 wrote to memory of 1604	2640	DEM7EE0.exe	39
PID 2640 wrote to memory of 1604	2640	DEM7EE0.exe	39
PID 1604 wrote to memory of 1924	1604	DEMD4FB.exe	41
PID 1604 wrote to memory of 1924	1604	DEMD4FB.exe	41
PID 1604 wrote to memory of 1924	1604	DEMD4FB.exe	41
PID 1604 wrote to memory of 1924	1604	DEMD4FB.exe	41

C:\Users\Admin\AppData\Local\Temp\4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe
"C:\Users\Admin\AppData\Local\Temp\4ce2aa845942322218471de9d3b776dd12d04a15d5b959fffeb9d83dab524026.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\DEMD356.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMD356.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\DEM2961.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM2961.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\DEM7EE0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM7EE0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\DEMD4FB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD4FB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\DEM2A5B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2A5B.exe"
        6⤵
        Executes dropped EXE
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2961.exe

Filesize
15KB

MD5
cc8abc55d6f360e18b2413b7f6ae49c5

SHA1
aa1a784829b5cde23ae72b54d85b669efb27e2d6

SHA256
e7380b76bc2ec83cef2926f4187c00aa5e11ac030b8226f41eb4f03474e0b978

SHA512
b0769a5112818ed5927041eaab1a23c796a333c9954f7e6e58f237438bbdab7b984ec4067f26c2175ba2ce7dae0f1c54d892953be2669beaf62b552e1ef19b44

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2A5B.exe

Filesize
15KB

MD5
0cdaf7064fc733d50c0463988c28fce8

SHA1
ea3af23ace5c9b3033cff12d5d011907493dbcb8

SHA256
70f7ac6d98ada07eb8c257502623c589a0d24b463aca18b6404e1c1cebb61e87

SHA512
6e7dd6e486d8ea4a847a9fe15cd9b35cbafb2eb674a1c03c3fca1ce6e4acd13e0d2c446694829135909b5c6ae77af932c16d05b4f27d5976b6adc1aba70ef408

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7EE0.exe

Filesize
15KB

MD5
575c6b182510f2cfe563e1d91b6c702b

SHA1
9359c6132e73e57c5b28e38bc5b19d758035f4b5

SHA256
bb30b36fe0ac593c5d8fc80f59292d1429b84f8a2ed0dfe8d319ee5d0d2446d7

SHA512
8cb19db75aefec02b76ffabc50a799f67430abbea0335c9397b66b8a9540d7fae0cc84272d073e1ad5b205722317795ec36f527bd42cd957fe2c9d6ddf70fe3b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD356.exe

Filesize
15KB

MD5
e68ce27ff394b70f8b1a80d66d7fd82f

SHA1
fee3f23695f4a00effae1dcbfe3412f32b76cb04

SHA256
efc1b4a2be7c60b3b695aa9ed01cde8e35b77743cfdd99693fe4f8984fc01ee9

SHA512
32b8bec0f396b1933858aaee75886b12b145d5ed8886ae8538dc11e41ee33b8e85fd7e388c76a1a776ef2b5cb08f165f02cc5469ef4d4eae2adc516fa12daa82

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD4FB.exe

Filesize
15KB

MD5
f1e38b8bc7e98d567bc4eb17ab5d4b62

SHA1
d9dba08bbe2c530a4377dd90a054816e619364c0

SHA256
74751336a56700f4d54d758acb842ff50be06b6e305500922b359a337363efc9

SHA512
5d7f53e6b9f353d7021c61add05198749a3d826094b84a11c7bc65ff5e3ec5242952c4a9923d2fbdf0b5555d5bc690f80bdbecbfd629a957e976627e5ed227bd

Download Submit

Analysis

Sharing