0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd

General

Target

0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe
Size

16KB
MD5

2e927661437de025daba278856cd8dc4
SHA1

77fd2f100ba14f2f715978e82efe3b09972088c7
SHA256

0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd
SHA512

49ce1f428ceae42daf7d5df6a23f8bdba359d13ed077fd2f7d9d849b66b4a8d8e75d3bc606d7187ef258c5205443f100724fbed388ccdbc9c6edf5996478a727
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxdZE:hDXWipuE+K3/SSHgxmHfK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2740	DEM8B6E.exe
2976	DEME0AE.exe
2196	DEM35DF.exe
2300	DEM8B5E.exe
1708	DEME0AF.exe

Loads dropped DLL 5 IoCs

pid	Process
1748	0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe
2740	DEM8B6E.exe
2976	DEME0AE.exe
2196	DEM35DF.exe
2300	DEM8B5E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEME0AE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM35DF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8B5E.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2740	1748	0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe	32
PID 1748 wrote to memory of 2740	1748	0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe	32
PID 1748 wrote to memory of 2740	1748	0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe	32
PID 1748 wrote to memory of 2740	1748	0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe	32
PID 2740 wrote to memory of 2976	2740	DEM8B6E.exe	34
PID 2740 wrote to memory of 2976	2740	DEM8B6E.exe	34
PID 2740 wrote to memory of 2976	2740	DEM8B6E.exe	34
PID 2740 wrote to memory of 2976	2740	DEM8B6E.exe	34
PID 2976 wrote to memory of 2196	2976	DEME0AE.exe	36
PID 2976 wrote to memory of 2196	2976	DEME0AE.exe	36
PID 2976 wrote to memory of 2196	2976	DEME0AE.exe	36
PID 2976 wrote to memory of 2196	2976	DEME0AE.exe	36
PID 2196 wrote to memory of 2300	2196	DEM35DF.exe	38
PID 2196 wrote to memory of 2300	2196	DEM35DF.exe	38
PID 2196 wrote to memory of 2300	2196	DEM35DF.exe	38
PID 2196 wrote to memory of 2300	2196	DEM35DF.exe	38
PID 2300 wrote to memory of 1708	2300	DEM8B5E.exe	40
PID 2300 wrote to memory of 1708	2300	DEM8B5E.exe	40
PID 2300 wrote to memory of 1708	2300	DEM8B5E.exe	40
PID 2300 wrote to memory of 1708	2300	DEM8B5E.exe	40

C:\Users\Admin\AppData\Local\Temp\0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe
"C:\Users\Admin\AppData\Local\Temp\0616040c06f68beffabcd57ea7e83701c05ce15627227b62c596de41ac89c8cd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\DEM8B6E.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8B6E.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\DEME0AE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME0AE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\DEM35DF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM35DF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\DEM8B5E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B5E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\DEME0AF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME0AF.exe"
        6⤵
        Executes dropped EXE
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8B5E.exe

Filesize
16KB

MD5
365ddd7fcf522a8ef8965c96f848c845

SHA1
d89d6b33692059e4c2e5def2f497b42ba69c7143

SHA256
22958ee3d68d55e52c38117208486241b87f18535d9874f7dcb6139f4492f37b

SHA512
a7eb45f04bf3ba6254c837f74d4dff23c4a646555a59d04ecaf6d9bc9fe10689ee3c090f521c3fbdc4491a15d5dd980ead50904e5ccbe24c712ffa05eed48d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME0AE.exe

Filesize
16KB

MD5
669dd7a267776655e9f52e66fb485ea0

SHA1
4c85656a97385c79490ea282d68e7c05a91db97c

SHA256
fb02e1d66198796a76c716c7af8b9f3170afebd04f816b01f1f3d35838ca0aa5

SHA512
5e96217d2ccb78fa2327d29ce3402df0970dcae78c11f5e4eee584a7d20f746b2a9cb0a593787962080ba55130f576e208bd864a1595a99f20c5f64baeb584e3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM35DF.exe

Filesize
16KB

MD5
0ad9193b055aa96b0a3922f36e0049ee

SHA1
53c2553455232d7e99892090269c7a028106ba9b

SHA256
d0168f87fb0e6a975719db6f679eee4a46279aa1d21f43fa361709892776412a

SHA512
fd769fceac2f8c1cae5eef8a991f8e38d6b7ad8ba64c434b6d721f6407871e2282f88bf6150b80ed80010e14e670a2d304dd15956841bb229e67f8c83146d137

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8B6E.exe

Filesize
16KB

MD5
a2221d2f122dc517b32ea11d8d2acd5f

SHA1
dd2f9384db8845e08e364cb00cb9d009fb9129d8

SHA256
414431329e61e60dde20b0d8e93239c27a422478b09130f03b79d243f16e37cc

SHA512
04b63be2ee00e2472bce1268a7e689ff740c3e922096ec098a48ab2d71a95024e5310828105eaf4e7874eed2cd24f2f4d6c72cee97676c717ac4b7d433211bca

Download Submit
\Users\Admin\AppData\Local\Temp\DEME0AF.exe

Filesize
16KB

MD5
6fb0c1678f4a66ea768f6d2224dde233

SHA1
24f8e6f76759e2630ebb80a5985f426b63acc7d0

SHA256
7d13fa8d83e73a3db2483b63171075cfeff2e499dcbb7b948ab58b1fd9945f01

SHA512
f7297c41fa7b2af9b73469831cbf77b62fd08fea921fd9862de388009d5e565c9d16ae9406e991d89b6bec55e96c7166f1ef678dfc068e1fb18df2afb4445da8

Download Submit

Analysis

Sharing