09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5

General

Target

09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe
Size

20KB
MD5

070c25bb63933e85a118c7c33fb96d4c
SHA1

3b5a3ae2368176f0a1a600b699b86adb7e5b96d9
SHA256

09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5
SHA512

a52715b9223f9c65fbb73a8b2edcd73ba68eedc42168db45d7da8ac9ae77cddea9cb7b8227168717a2d6442a20fcfde570dd6793c66dd5040fd6e5c82e5589a3
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4l:hDXWipuE+K3/SSHgxmHZl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2848	DEM20F8.exe
2796	DEM77CF.exe
1056	DEMCDF9.exe
2584	DEM23E5.exe
1588	DEM79B2.exe

Loads dropped DLL 5 IoCs

pid	Process
3052	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe
2848	DEM20F8.exe
2796	DEM77CF.exe
1056	DEMCDF9.exe
2584	DEM23E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM20F8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM77CF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMCDF9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM23E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2848	3052	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	31
PID 3052 wrote to memory of 2848	3052	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	31
PID 3052 wrote to memory of 2848	3052	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	31
PID 3052 wrote to memory of 2848	3052	09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe	31
PID 2848 wrote to memory of 2796	2848	DEM20F8.exe	33
PID 2848 wrote to memory of 2796	2848	DEM20F8.exe	33
PID 2848 wrote to memory of 2796	2848	DEM20F8.exe	33
PID 2848 wrote to memory of 2796	2848	DEM20F8.exe	33
PID 2796 wrote to memory of 1056	2796	DEM77CF.exe	35
PID 2796 wrote to memory of 1056	2796	DEM77CF.exe	35
PID 2796 wrote to memory of 1056	2796	DEM77CF.exe	35
PID 2796 wrote to memory of 1056	2796	DEM77CF.exe	35
PID 1056 wrote to memory of 2584	1056	DEMCDF9.exe	38
PID 1056 wrote to memory of 2584	1056	DEMCDF9.exe	38
PID 1056 wrote to memory of 2584	1056	DEMCDF9.exe	38
PID 1056 wrote to memory of 2584	1056	DEMCDF9.exe	38
PID 2584 wrote to memory of 1588	2584	DEM23E5.exe	40
PID 2584 wrote to memory of 1588	2584	DEM23E5.exe	40
PID 2584 wrote to memory of 1588	2584	DEM23E5.exe	40
PID 2584 wrote to memory of 1588	2584	DEM23E5.exe	40

C:\Users\Admin\AppData\Local\Temp\09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe
"C:\Users\Admin\AppData\Local\Temp\09e5a4eec1052046b34b41731a3ab0aae5886cd9d6e52e6a3b3cd5a06e10d3c5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\DEM20F8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM20F8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\DEM77CF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM77CF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\DEMCDF9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCDF9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\DEM23E5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM23E5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\DEM79B2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM79B2.exe"
        6⤵
        Executes dropped EXE
        
        PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM77CF.exe

Filesize
20KB

MD5
3d60f8df249cdcca306fa50317240a27

SHA1
8675d57adf50d9613f98276aa357d2f5381ce7a8

SHA256
6585ecbdf6b7ddf55a8d2622724df2b2c891eed38b135ec2d60a9402b4fb53ee

SHA512
18bf5824fd42eb68cdca12e1c32d9b9ec4a925c944b0b578f82f37a26232dbde516c771a289725693047d053f158f0e5ec4389a49da7ca7a0be7f784110144e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCDF9.exe

Filesize
20KB

MD5
a56d516d0f1a91c03c7db96430c5d540

SHA1
311bfcf93ba04ae93fd3469cb6a602f36ebd9073

SHA256
32a9585cf120078b0236acd05ec2a251b72e4c0342db96f9e4b44682e7d20e33

SHA512
6a78af43c6518310628656fc5ebb6757a66bf59ac2283ef55946395e4b9a4c49f93bc15aa49f6b28b886c63c4073167a709355d315ed3122c1a56a8ee38bce04

Download Submit
\Users\Admin\AppData\Local\Temp\DEM20F8.exe

Filesize
20KB

MD5
df76bc3c13cfd06b44da15eac51b1dd3

SHA1
b6d6cdd605d75a66d81b3c6ec54da00eeb30d88c

SHA256
12fada7283249fdd02abcf518dcdd2987922183dad233cde8b72c6e4846db216

SHA512
a54b2cdc4c0fafede6108a24b2d001caafb54218310ec5c63f75a7114a249f922c6d0e4977fd7459caa9a99a06d92b4bf27dd04ef0fbc3b65d5dc05158384869

Download Submit
\Users\Admin\AppData\Local\Temp\DEM23E5.exe

Filesize
20KB

MD5
45c8b513d508024ec676fb09cb337c2b

SHA1
8fbc8d1bfb90cfccd9e460877951ffa8fb7f378e

SHA256
d368ea2e9c0a4833d1b779b259c082e5d8548a7346ab74ce0f1431f0bac434c8

SHA512
6f764355ba2013cf18368f709fe301c3df9c9f3dd8c3fd490092d9dac07ee567575c3ab3a4cccf7def52963e3f5dab0617646fc681a6604f6ab302d5a624b4c4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM79B2.exe

Filesize
20KB

MD5
932d39da6067eb6f9a12584038bda276

SHA1
fd2ee745bf3e7ae9e0de3dca00a13429560a5cc9

SHA256
ead657fe81d058205e502f23725349bd527ed7f2faa470d80a97c160f99566a4

SHA512
1c017054b1e931fa29121ca8e0418aa0f19b3e837d53a182e8799749a15e75f78fae54ca6dee4ce836611cdc3b01a4987751c6ad60842a8e080c18ac25a7fcf7

Download Submit

Analysis

Sharing