a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344

General

Target

a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
Size

20KB
MD5

b67c39f7c15c7cda906350be13ec4c02
SHA1

94ca8a6416ee18c5edfd45eb52532f7c420a701e
SHA256

a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344
SHA512

60ed0a9a9432e12e42684f490d0f61098aff7b43cae5657c899373bef4448ace93eb3e35f0926746cb1af7e03da5bea59f16e6138bd3efcb7f39554a43f7409b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L45t:hDXWipuE+K3/SSHgxmHZb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2956	DEM6D73.exe
480	DEMC311.exe
3068	DEM1851.exe
2068	DEM6DB1.exe
1816	DEMC312.exe

Loads dropped DLL 5 IoCs

pid	Process
2244	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
2956	DEM6D73.exe
480	DEMC311.exe
3068	DEM1851.exe
2068	DEM6DB1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6D73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC311.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1851.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM6DB1.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2956	2244	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	31
PID 2244 wrote to memory of 2956	2244	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	31
PID 2244 wrote to memory of 2956	2244	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	31
PID 2244 wrote to memory of 2956	2244	a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe	31
PID 2956 wrote to memory of 480	2956	DEM6D73.exe	34
PID 2956 wrote to memory of 480	2956	DEM6D73.exe	34
PID 2956 wrote to memory of 480	2956	DEM6D73.exe	34
PID 2956 wrote to memory of 480	2956	DEM6D73.exe	34
PID 480 wrote to memory of 3068	480	DEMC311.exe	36
PID 480 wrote to memory of 3068	480	DEMC311.exe	36
PID 480 wrote to memory of 3068	480	DEMC311.exe	36
PID 480 wrote to memory of 3068	480	DEMC311.exe	36
PID 3068 wrote to memory of 2068	3068	DEM1851.exe	38
PID 3068 wrote to memory of 2068	3068	DEM1851.exe	38
PID 3068 wrote to memory of 2068	3068	DEM1851.exe	38
PID 3068 wrote to memory of 2068	3068	DEM1851.exe	38
PID 2068 wrote to memory of 1816	2068	DEM6DB1.exe	40
PID 2068 wrote to memory of 1816	2068	DEM6DB1.exe	40
PID 2068 wrote to memory of 1816	2068	DEM6DB1.exe	40
PID 2068 wrote to memory of 1816	2068	DEM6DB1.exe	40

C:\Users\Admin\AppData\Local\Temp\a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe
"C:\Users\Admin\AppData\Local\Temp\a63a152dc59ff1f1f9e9fb6a9dfdfbbfacdacc1e593af6bb408cdeb766f86344.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\DEM6D73.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6D73.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\DEMC311.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC311.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:480
  - - C:\Users\Admin\AppData\Local\Temp\DEM1851.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1851.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\DEM6DB1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6DB1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Users\Admin\AppData\Local\Temp\DEMC312.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC312.exe"
        6⤵
        Executes dropped EXE
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMC311.exe

Filesize
20KB

MD5
33d01d8ab1af48f71a3502eee1c953e5

SHA1
95c1720d595894d47361d19a8f23edc18d51aab8

SHA256
35b789e469dafea28ad167e28efd05aaace51104b20035df4501f090420472d6

SHA512
ef834ce597c1d56495800299410850c1e1afad5b3eebf41c39469a6238d5127f28810b27a9c2b3ff1ea24cde8285cfb04059db999dbb9bcf50f7f5a22c7d11cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC312.exe

Filesize
20KB

MD5
bbbeaa05f1c32576fd23b59e560c3d1e

SHA1
9552b03f15e876c6a0390b9b7a9c5be79a4d4d98

SHA256
d6fe18eb2a6067f1757564ab393219e51de501f822d47f1d1492fd92ca59cf5d

SHA512
e76ee9556ca6c09c5c3cbafde3f9c081f43b922156db0d60ab0bd10a2b9e783a35f9c0ea6eecad2a948cf1e46f2291412dbeba276ab027544626e3e1fd1c436c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1851.exe

Filesize
20KB

MD5
0b8ba4721479d0e477782b77d71e0f5e

SHA1
eb5abc57a045fce4147310f8f082292f5fce8a0a

SHA256
9885f5f1a0a37865d1abc6946292e80b3490c2ed8704cd6a14dcca8b70679470

SHA512
43a8b7d01f4cab561a29735641f30fc718a79b78b7c3c797323b1aae0ca52f492accd78313cfa31cedd58bb54ee9168a770e782caa703bd04c44aa601ae5b9ab

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6D73.exe

Filesize
20KB

MD5
0c31d9579105dfc954fca99a26d0106b

SHA1
6106e2890544d4c431f435fc33aeae13889d5908

SHA256
01fab8f9d75bdd2acabe892d79b151f16c56833ccfa7fa625397a1269d5e7013

SHA512
6deb96bce2e89216983a7839bb64d3b0034fc8f703de283c0cd145cf8616d0340dcce9ffd942c4815a346b16ae9a819be1d64fb6c916da2aad262339f8a85d1d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6DB1.exe

Filesize
20KB

MD5
4d231cfdb6be70f93a775caad8262f72

SHA1
37034cfd6fbdcc6a796ec7d76a785d4a2990d198

SHA256
b6775acd23939f4fca9776350a8da952e073dfc2db423c2d95050ab6814c6072

SHA512
d4545c6de658e953cba39b2c479096d8729ffeba36d7a706ece2fd9339c1aa04b37d065708fce3eaf87c8d7d222d44b0e153683c11e1707a1a55b9a0b16f056e

Download Submit

Analysis

Sharing