0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26

General

Target

0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe
Size

15KB
MD5

5bd67957a7626b7533f521f54efcb071
SHA1

7e5858959534e892d3dc56ce8a08548b6b9eda9f
SHA256

0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26
SHA512

c735ad2d292a4bcb5043977d952b435c05010a53451a6d7e2bfc86b664dae44a1ff585af51ba2f8ea627d230661dbf1c443486e1e7fbbcabd9d75a751ef30e13
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYq445:hDXWipuE+K3/SSHgxmq445

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2488	DEMFFF1.exe
2892	DEM5689.exe
2644	DEMAD5F.exe
2888	DEM34B.exe
804	DEM59A5.exe

Loads dropped DLL 5 IoCs

pid	Process
2332	0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe
2488	DEMFFF1.exe
2892	DEM5689.exe
2644	DEMAD5F.exe
2888	DEM34B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFFF1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAD5F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM34B.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2488	2332	0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe	32
PID 2332 wrote to memory of 2488	2332	0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe	32
PID 2332 wrote to memory of 2488	2332	0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe	32
PID 2332 wrote to memory of 2488	2332	0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe	32
PID 2488 wrote to memory of 2892	2488	DEMFFF1.exe	34
PID 2488 wrote to memory of 2892	2488	DEMFFF1.exe	34
PID 2488 wrote to memory of 2892	2488	DEMFFF1.exe	34
PID 2488 wrote to memory of 2892	2488	DEMFFF1.exe	34
PID 2892 wrote to memory of 2644	2892	DEM5689.exe	36
PID 2892 wrote to memory of 2644	2892	DEM5689.exe	36
PID 2892 wrote to memory of 2644	2892	DEM5689.exe	36
PID 2892 wrote to memory of 2644	2892	DEM5689.exe	36
PID 2644 wrote to memory of 2888	2644	DEMAD5F.exe	38
PID 2644 wrote to memory of 2888	2644	DEMAD5F.exe	38
PID 2644 wrote to memory of 2888	2644	DEMAD5F.exe	38
PID 2644 wrote to memory of 2888	2644	DEMAD5F.exe	38
PID 2888 wrote to memory of 804	2888	DEM34B.exe	40
PID 2888 wrote to memory of 804	2888	DEM34B.exe	40
PID 2888 wrote to memory of 804	2888	DEM34B.exe	40
PID 2888 wrote to memory of 804	2888	DEM34B.exe	40

C:\Users\Admin\AppData\Local\Temp\0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe
"C:\Users\Admin\AppData\Local\Temp\0c7bfea65f9b796f57ee415f1778c60fadcb837701e8934cad3a595828ebde26.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\DEMFFF1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMFFF1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\DEM5689.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5689.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\DEMAD5F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAD5F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\DEM34B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM34B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\DEM59A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59A5.exe"
        6⤵
        Executes dropped EXE
        
        PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34B.exe

Filesize
15KB

MD5
45e5e7d326912ee6439c95159b9e3e8b

SHA1
f4983e201157a749d6ed460b1ccf8f40340e70f3

SHA256
67c34a7aec707a56f0c56055e1145fd83dd402e0e17da5e98bb344d4d5b32ca9

SHA512
0edb085926f4a86eb1b7323bc386818622d6af71c7e2ad0757d7237c91a9c11a9fc30a75bedbdae0ae81cd789f9af057e3a558f60ce32d4eb82a3489d8b388a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5689.exe

Filesize
15KB

MD5
e8836db3a87362c48a2b5bb241732767

SHA1
ca9dfcb4f1ef6b8631229171755fd8c37a5beec9

SHA256
425ab3e496d3639f46466e351a71160030e40851945c8895bdf3227bfa665887

SHA512
9f7193fd24c3fc725c7d5b22b3e9cb60a27dd15a5119fd37840a9a3b773bb23a2200fc7f01323811e0956779ca186f85ee2a4112f316657f962b9e6ea69f799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM59A5.exe

Filesize
15KB

MD5
396bf0c8af1d04f951341f0191ac87a2

SHA1
e9e87e0a3be0173ccd179a1b8cf023972a4cd80a

SHA256
8f192cee28af1b723ebf0954241ffb8f570a1d69c234f7c7ee3dd46fd382819a

SHA512
37d56795c0ad7215ec33d3e7507463ffdfc1798689cc49a877c229ac0d98fa13288b5eb3faeb9e988f6b31d5ae4c92900e54eaf6823ece7d83986717a86fb6c7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAD5F.exe

Filesize
15KB

MD5
ba668304ceac617dec0962dc477d78c2

SHA1
517a75de26b3a84dff0fa01fd658ab91e4a1986f

SHA256
80f43ca624db23a9181f928fc21b9f7dfc51939e6abb122c674d0dc7fc431c40

SHA512
b8db1f51398741a74f731f60e483d342247f9fc5c6a5f5237fc760217434f84d76a4ba17031c9f9b1573e24afc4abc948424d94433ce5472696381c4ab276ee3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFFF1.exe

Filesize
15KB

MD5
ac3b7a3649e6de8cc39ea114192e5cfc

SHA1
26912b05e8b7e9ca87432aee64d2308d222ad573

SHA256
18531042beb0b7a9c24812a6e9aa47f43d4071893809885f9de02866434c2513

SHA512
1c68c38408c2fca3d446ac2b4fab5185009735c1aa2b58fa336035d5bd9189fc11beb9e407912bbeb7d109897cd88ab42cace25a9d5d45ef91fe1141a46e9d63

Download Submit

Analysis

Sharing