ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe

General

Target

ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
Size

15KB
MD5

753ca55de628252f684c132f47a61835
SHA1

6f2a850a689fe4ff6f805b6c201f167866ec09c3
SHA256

ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe
SHA512

e90790c24aa03ff24ca9bc56e67bdc96a833eb3478acf9fb109f65431121b071323164dee6a98684d451674dbc02b7720bf9b22cf374d9ca4b6a092bc2bd5510
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pjW2UWXq:hDXWipuE+K3/SSHgx49WdWXq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2736	DEM4192.exe
2072	DEM982A.exe
3028	DEMEEA3.exe
2240	DEM44BE.exe
296	DEM9B36.exe

Loads dropped DLL 5 IoCs

pid	Process
2448	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
2736	DEM4192.exe
2072	DEM982A.exe
3028	DEMEEA3.exe
2240	DEM44BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM982A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMEEA3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM44BE.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2736	2448	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	31
PID 2448 wrote to memory of 2736	2448	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	31
PID 2448 wrote to memory of 2736	2448	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	31
PID 2448 wrote to memory of 2736	2448	ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe	31
PID 2736 wrote to memory of 2072	2736	DEM4192.exe	33
PID 2736 wrote to memory of 2072	2736	DEM4192.exe	33
PID 2736 wrote to memory of 2072	2736	DEM4192.exe	33
PID 2736 wrote to memory of 2072	2736	DEM4192.exe	33
PID 2072 wrote to memory of 3028	2072	DEM982A.exe	35
PID 2072 wrote to memory of 3028	2072	DEM982A.exe	35
PID 2072 wrote to memory of 3028	2072	DEM982A.exe	35
PID 2072 wrote to memory of 3028	2072	DEM982A.exe	35
PID 3028 wrote to memory of 2240	3028	DEMEEA3.exe	38
PID 3028 wrote to memory of 2240	3028	DEMEEA3.exe	38
PID 3028 wrote to memory of 2240	3028	DEMEEA3.exe	38
PID 3028 wrote to memory of 2240	3028	DEMEEA3.exe	38
PID 2240 wrote to memory of 296	2240	DEM44BE.exe	40
PID 2240 wrote to memory of 296	2240	DEM44BE.exe	40
PID 2240 wrote to memory of 296	2240	DEM44BE.exe	40
PID 2240 wrote to memory of 296	2240	DEM44BE.exe	40

C:\Users\Admin\AppData\Local\Temp\ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe
"C:\Users\Admin\AppData\Local\Temp\ec9d2aaa2b8c5431a3b865330e95948a7bf62f925996c09f9b6065120d5b8dfe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\DEM4192.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4192.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\DEM982A.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM982A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\DEMEEA3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEEA3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\DEM44BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM44BE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\DEM9B36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B36.exe"
        6⤵
        Executes dropped EXE
        
        PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM982A.exe

Filesize
15KB

MD5
2d7c707b7bc0bddaa4cdf3a6c02c7c9f

SHA1
4ac891c9b09f0c7ae3ea9c1f0bd63d729bc0535c

SHA256
8aaf01cb0b59744971689d7b56f7ef5e3e83bcb1e588a65821a0e54e7e94e94b

SHA512
f2a311ccdae50e335fe8f35feab710f42feb6b51f579f2b01761200d75e157a332f3c4c7c123d0de5b6ee16f83e4f66f9204c8f0c9a2338e54fbf42c244688eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B36.exe

Filesize
15KB

MD5
25ec221cf0ed13c231d6e8da72c58873

SHA1
d4838ec3032539d019fecc9253423f94578af443

SHA256
f860b3452db9e1c76d9eafe1015d556928c7b8e738f5bb7662a74fc09b36682e

SHA512
9facb6b1c75c027bd6437cf09a146f0ff3d461b0bc7e4027fe403dc3037481f8e8300cd7d10a27140a03294a5c71896a0f5262ce372d3bbcce704e2951848836

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEEA3.exe

Filesize
15KB

MD5
75409dc2bbcdda163142e5748bd65f25

SHA1
e2338816c2884c38effa3065793cc2f17f0fa197

SHA256
e7beb9b9fd9e0855ba1276dc4a9c0c159bc2b239cef57a8062d30e28dfdac5a3

SHA512
6feac49ce910ce8fb07afeaf18c700d0661eed39c2a7430f1efb671d32af2b2b0c01f6f8df93d58780832621456706025f8a4b438fe60a8fee2ad91788379c4f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4192.exe

Filesize
15KB

MD5
dd9c7dfb2ca3d1303add8fcfd02c3a83

SHA1
5af8216f66e76e02cd0373b29f2d90c2e1284f91

SHA256
aec8627aa52b1849b6f19e5904055fe391e76dae61ec0e163b97a3153b86fa87

SHA512
7bff7ba3ee779d87a853a90575571f8d706a0fd918ecbdc0e4d2567ed7e2dea3509fa58ff35dfae3123b2282c1f876c056b1e75c91f59a0cf2f44ed8d71a2c20

Download Submit
\Users\Admin\AppData\Local\Temp\DEM44BE.exe

Filesize
15KB

MD5
bf735f4e878276e4277720998145f248

SHA1
3097c4bd93ddcecad4b56803e18a751c8457b02e

SHA256
2e55058a7b68aa17aae25c99a51f7de5ae26e6d3ddc85e2edac0d13941ad445d

SHA512
4e42574e1419e480a516afcdb3ef471e2e7c073b58ff4fc7b77d851012c4fdd4114254d44320fd3438f09e20dd49a2998f9adaab1c038fd45e24fcdd3f525b5f

Download Submit

Analysis

Sharing