50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874

General

Target

50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe
Size

14KB
MD5

d0ee06a79759d0d5cf7b2aaa5cfd652a
SHA1

ef8ddd561e0b79156c44eb851da4af12bc156df8
SHA256

50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874
SHA512

542bcba1a3e663457678ee46dcb6fbd3e8177d512a0c54d683842c64529d03774992d4146edd1fec03472cf911a569c9ae306faa0c28ef127b60c3a3a59e4e1d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv5i5:hDXWipuE+K3/SSHgxl5i5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2968	DEM6BAE.exe
1164	DEMC10E.exe
2708	DEM167D.exe
1096	DEM6C3B.exe
844	DEMC15C.exe

Loads dropped DLL 5 IoCs

pid	Process
2912	50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe
2968	DEM6BAE.exe
1164	DEMC10E.exe
2708	DEM167D.exe
1096	DEM6C3B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6BAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC10E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM167D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6C3B.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2968	2912	50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe	31
PID 2912 wrote to memory of 2968	2912	50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe	31
PID 2912 wrote to memory of 2968	2912	50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe	31
PID 2912 wrote to memory of 2968	2912	50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe	31
PID 2968 wrote to memory of 1164	2968	DEM6BAE.exe	34
PID 2968 wrote to memory of 1164	2968	DEM6BAE.exe	34
PID 2968 wrote to memory of 1164	2968	DEM6BAE.exe	34
PID 2968 wrote to memory of 1164	2968	DEM6BAE.exe	34
PID 1164 wrote to memory of 2708	1164	DEMC10E.exe	36
PID 1164 wrote to memory of 2708	1164	DEMC10E.exe	36
PID 1164 wrote to memory of 2708	1164	DEMC10E.exe	36
PID 1164 wrote to memory of 2708	1164	DEMC10E.exe	36
PID 2708 wrote to memory of 1096	2708	DEM167D.exe	38
PID 2708 wrote to memory of 1096	2708	DEM167D.exe	38
PID 2708 wrote to memory of 1096	2708	DEM167D.exe	38
PID 2708 wrote to memory of 1096	2708	DEM167D.exe	38
PID 1096 wrote to memory of 844	1096	DEM6C3B.exe	40
PID 1096 wrote to memory of 844	1096	DEM6C3B.exe	40
PID 1096 wrote to memory of 844	1096	DEM6C3B.exe	40
PID 1096 wrote to memory of 844	1096	DEM6C3B.exe	40

C:\Users\Admin\AppData\Local\Temp\50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe
"C:\Users\Admin\AppData\Local\Temp\50e49791726cd9955cdca97b1eec8f63595bd50c5e4bd0821fa43a351caaa874.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\DEMC10E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC10E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\DEM167D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM167D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\DEM6C3B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6C3B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\DEMC15C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC15C.exe"
        6⤵
        Executes dropped EXE
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6C3B.exe

Filesize
15KB

MD5
1ca4ea65edc3aafc889c99ce9cfcb0f3

SHA1
a1bc476c90938313eeb3247ac52dc9a81e873a3f

SHA256
a3d177aa0d40ff816a07eba3c439dfbcbd954f7c0b299e5d16c525585767cdbb

SHA512
a0ceeee236ff25051d42fffa180af29ac09bb3f7c37f4ad814eacb43fb3b053d214c68b6a8e821acee28aa0d9a4a0a8c32f39e73a3b60438c765561e4d51cdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC10E.exe

Filesize
14KB

MD5
48dc66d38e12bb533c9a6cc8c66b8335

SHA1
33495558dbfba1cf522a607c34c464fcb7f138cd

SHA256
6347a36b30f30ad3c671f514e6c95fec4f5fce25957b291bb23bbba76dbbc2e3

SHA512
e76019b652e61673c9afda4d27c978cb85bc013d61a77458d2ee671589d4bf4000b34efa493ed600831cc1f530aa2a809b1b53fb9abbfee1964f401269ae641a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC15C.exe

Filesize
15KB

MD5
1fa65b9da30ad3de5067915072b9879d

SHA1
73c8a7d16ecd26906129a3564fab69c417b9c940

SHA256
c5164b121ea10aa5635269eb2062471b389470c3ab19482694c851b8bee5b577

SHA512
ce54500010eacc1e4980180ad9a6d4dd5aed19b15016fb82e02eb2843fad966a89b318c8771761bf4e7f1f23d3853f1fa163eecfd49dcfbc82524e52bfc913b5

Download Submit
\Users\Admin\AppData\Local\Temp\DEM167D.exe

Filesize
14KB

MD5
66c0e902573a5660ae0c5df0b435c94b

SHA1
33ac6ee06905fd8f4c2074eeab860c4d037b9d6f

SHA256
a1dd7c3e189afda4cc3032189c22b485479f53e3bb1c908f478e225cb7dd27bb

SHA512
5d7210a1d25170facd6018b08f2f5daa2e460d66be0739bfbe5442b7f3d56dc590a041b2c7e908fac680113675ad35149d5047cb3eed1e435d2dc1a9934f8b1b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6BAE.exe

Filesize
14KB

MD5
31b10b34b9fac23d064880818152b3f8

SHA1
2d19ee328a6b10c9680dad3ad17d3a619165e0b6

SHA256
569d6452dc2fb250faa074e9bb68f47565e4e9208d538cafc6462c77ccd60fd3

SHA512
3de39f867fc83753a4d51fd778ef91a5865875283eb98a1050b36ae6043ef85aac91152b68352f437c87b40dcb10bb9d5bf677e12996d06d80e3ec5b8b6147a1

Download Submit

Analysis

Sharing