d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660

General

Target

d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe
Size

20KB
MD5

f3497e254a2cb34d41a3a4087f83fdf6
SHA1

aa2b4520585035e92c75123f34cd6c3951972598
SHA256

d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660
SHA512

55df30db83dd18060882ede8b14c7ca6c994a600028cc328e82524ba984fb1fd401701f3ce86b57d985e73c82c05e8b2471089df58461a3b4f897db2e386ed2d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PRSU:hDXWipuE+K3/SSHgxmHZPRP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2944	DEM915.exe
2604	DEM5E65.exe
1108	DEMB413.exe
1460	DEM963.exe
1344	DEM5EF2.exe

Loads dropped DLL 5 IoCs

pid	Process
2180	d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe
2944	DEM915.exe
2604	DEM5E65.exe
1108	DEMB413.exe
1460	DEM963.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5E65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMB413.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM963.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM915.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2944	2180	d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe	31
PID 2180 wrote to memory of 2944	2180	d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe	31
PID 2180 wrote to memory of 2944	2180	d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe	31
PID 2180 wrote to memory of 2944	2180	d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe	31
PID 2944 wrote to memory of 2604	2944	DEM915.exe	33
PID 2944 wrote to memory of 2604	2944	DEM915.exe	33
PID 2944 wrote to memory of 2604	2944	DEM915.exe	33
PID 2944 wrote to memory of 2604	2944	DEM915.exe	33
PID 2604 wrote to memory of 1108	2604	DEM5E65.exe	35
PID 2604 wrote to memory of 1108	2604	DEM5E65.exe	35
PID 2604 wrote to memory of 1108	2604	DEM5E65.exe	35
PID 2604 wrote to memory of 1108	2604	DEM5E65.exe	35
PID 1108 wrote to memory of 1460	1108	DEMB413.exe	37
PID 1108 wrote to memory of 1460	1108	DEMB413.exe	37
PID 1108 wrote to memory of 1460	1108	DEMB413.exe	37
PID 1108 wrote to memory of 1460	1108	DEMB413.exe	37
PID 1460 wrote to memory of 1344	1460	DEM963.exe	39
PID 1460 wrote to memory of 1344	1460	DEM963.exe	39
PID 1460 wrote to memory of 1344	1460	DEM963.exe	39
PID 1460 wrote to memory of 1344	1460	DEM963.exe	39

C:\Users\Admin\AppData\Local\Temp\d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe
"C:\Users\Admin\AppData\Local\Temp\d6e0d438a933701d926fbd2f16888ebdb2211da86db20e06124d932319c75660.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DEM915.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM915.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\DEM5E65.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5E65.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\DEMB413.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB413.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\DEM963.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM963.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\DEM5EF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EF2.exe"
        6⤵
        Executes dropped EXE
        
        PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5E65.exe

Filesize
20KB

MD5
dbf4a2c13b1a5dfecf863328fc9b62a4

SHA1
42cad98da5a6a63bec9602f1f84b7dba450c0b3b

SHA256
60b6dcdb1248e4e8abf963d29abcbb1500ddd790c7288e191795beaf25a6e1b5

SHA512
9b53d75caa42c3d7635879cdb13b101ed08896fdbcad0bb469791dc6301304492588de2a478f5f8c85b142865bc2d0e4aaae58f7de8f4fc3d9c6503f10f78d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5EF2.exe

Filesize
20KB

MD5
c5a2ccf6efbe2e5a861b589aca54f3ec

SHA1
17b217c244cfa80112b114de698252ec20ec69e1

SHA256
77b3555bac459e927b897562bef5ea23674fa256cf570dde2eb6539589c4edaf

SHA512
1098396509f4e7500ad92141c6632c0380d572bacf68b9debc2b53ac842d2d2f534111d413f9e47061f2377a203154c1df16013c2d8db32bb08c6bd882421939

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM915.exe

Filesize
20KB

MD5
1ef28fb86b190f0f42adff45f2bf9aff

SHA1
d8cc4b381c2c9d90484fecc9ae116b2ec997ac49

SHA256
d0cf28a6ba5128325e94f4b3e4d73b3d54513fbe3ee016505e1b76a09bdbd390

SHA512
f0714cda82f726b65b0fd3a373b6658e47e26f63c4268a5a9b647cb9978972c29341a3e3642d2eb9dc3a59302d65f9eea2e92d3e0f96bfaa96d853ffb6cd0496

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM963.exe

Filesize
20KB

MD5
96494887c0c58e545be80413a9500d78

SHA1
beec7d15c85b597367956bd6ef7e797e0394b094

SHA256
041f5e290d8b06582060519ac8437f83e103afbda1443f8f38bb59a3daeee747

SHA512
4963a7b142bf3e160c25317b321750eff00f5d2abc21b019588b3e1430a5a347a9bc5301775a8399456fab210b34618484bbabe5b2b48e56a4d1c1dfd88eb31b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB413.exe

Filesize
20KB

MD5
8945f8ac0a4657964643c4903ed54c6b

SHA1
e15d11aa65626816eb142cce5e7659c5a97cc2ab

SHA256
d0671932c57c3bc8bd44e0f7f7fd3c8aae6047810608afe6cadd61dbbdf0ebdd

SHA512
9ea905d4c6448939e8513a027c5e050b3a11f2024c73e976bf1bfe9f75eff8ee91ae57febffdf6d689b37d6334614c17db034af126381a0d85723b1049660c93

Download Submit

Analysis

Sharing