f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe

General

Target

f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
Size

15KB
MD5

fb205082e70e21514ee98e8040d1fe6e
SHA1

29f28814579538e7728f3ad954a680748fe7fba9
SHA256

f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe
SHA512

42fc42c1cb77c7b0025e58f47daa9f05134867f439eb9f0afa83c000ca0f485a4ea5bde906a53315310edb3fd809d4bf575958383f5065247f375efa6858685e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBfT:hDXWipuE+K3/SSHgxmMR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2928	DEME984.exe
2672	DEM3F70.exe
3028	DEM94A1.exe
1216	DEME9D2.exe

Loads dropped DLL 4 IoCs

pid	Process
2268	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
2928	DEME984.exe
2672	DEM3F70.exe
3028	DEM94A1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM3F70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM94A1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME9D2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2928	2268	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	32
PID 2268 wrote to memory of 2928	2268	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	32
PID 2268 wrote to memory of 2928	2268	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	32
PID 2268 wrote to memory of 2928	2268	f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe	32
PID 2928 wrote to memory of 2672	2928	DEME984.exe	34
PID 2928 wrote to memory of 2672	2928	DEME984.exe	34
PID 2928 wrote to memory of 2672	2928	DEME984.exe	34
PID 2928 wrote to memory of 2672	2928	DEME984.exe	34
PID 2672 wrote to memory of 3028	2672	DEM3F70.exe	36
PID 2672 wrote to memory of 3028	2672	DEM3F70.exe	36
PID 2672 wrote to memory of 3028	2672	DEM3F70.exe	36
PID 2672 wrote to memory of 3028	2672	DEM3F70.exe	36
PID 3028 wrote to memory of 1216	3028	DEM94A1.exe	39
PID 3028 wrote to memory of 1216	3028	DEM94A1.exe	39
PID 3028 wrote to memory of 1216	3028	DEM94A1.exe	39
PID 3028 wrote to memory of 1216	3028	DEM94A1.exe	39

C:\Users\Admin\AppData\Local\Temp\f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe
"C:\Users\Admin\AppData\Local\Temp\f94ea1ca73599b05a75572915fabb96c2062b3912de06bf356ea386fd77e6dfe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\DEME984.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME984.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\DEM3F70.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM3F70.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\DEM94A1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM94A1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\DEME9D2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME9D2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\DEM3F32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3F32.exe"
        6⤵
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3F32.exe

Filesize
15KB

MD5
cd5869e9fe1051b7eeff087b6d174498

SHA1
a34636b00d78d0620aa17addf51979ea53513ce3

SHA256
eebbeeb92ac7de306f706dd0fc08e3f3a665bc50eb8e59f60edbbe60582e6a35

SHA512
cc8dda202e1ccfd49e119c78ba2520276fa8a69cf23dffe0aac649f16437e481a5338d7a3601d65e0ff6ac0805c01a9b9d19b1ca6949eba252dc4032b819006b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3F70.exe

Filesize
15KB

MD5
85c3d908fb6c59cc5c32f49802f0dda1

SHA1
33eaf374d226cccc17021a89b3c21b9bff911d42

SHA256
12969b637a7392314d0d06d4c3359caac928cf17bfd8a441bd09ce21bc87a805

SHA512
40786e795da9f8c01a4f83c974a6a2d63e328462f136e4a8d341094cb7f244165cdfeac2df453527d40480c71b7e13fa98009e7a2af15ad08eee4985e33c70fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME984.exe

Filesize
15KB

MD5
1c5212c9c8a552dc05be023fb5e25d69

SHA1
254d61d197ceb3313d38afb41f87e777e0c63502

SHA256
2ef3c66f0505f0e0658658cb425e2b33a6f6da1837803a5ec7a606123e80a888

SHA512
5843cb2d08bd6cfa05990437fdb13ce17b2a9d19d670e4b1f72b9fdb3b4becc0864d13cee717f1edd38c4255172862d78e3030255c8c28a102d91171afcb9a17

Download Submit
\Users\Admin\AppData\Local\Temp\DEM94A1.exe

Filesize
15KB

MD5
db3eac9565557ff4ccd810291c3298ec

SHA1
e20d2c13d4713e01aa479544b3192f5c1e032df0

SHA256
988c295b837aec98387238ceb8bc826c8d7f6dde2f679a41bea1e8f6559f7e45

SHA512
fd4fd854897047bf7fe5c0a374fbf4574defb34198d0d7f73343635628b66350115d368b3c167947b03f580f28a575650fc6466744805a89a52df92722c534fe

Download Submit
\Users\Admin\AppData\Local\Temp\DEME9D2.exe

Filesize
15KB

MD5
b42d1a617a6fd17526289bf037c001b0

SHA1
bb6ce513c6729ce422c772673351aa95eb07754f

SHA256
8612f0b51e463d6c0ca8e5907ba8d8ae850dc49c18c8a1f61c6ecc7fab60438b

SHA512
dfeb21c0a51863605299f01bf4b01e01f1398805aed1df2bf2cc012d29c6a596352af5643793344913b90e017778bb067a33b4a5db20469700b7a9ff5be4793f

Download Submit

Analysis

Sharing