edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e

Analysis

max time kernel
43s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe
Size

16KB
MD5

965412aa590bfe2d2996d40839c36f12
SHA1

e1f4f1d8b5464b125932b2006e35ebf0318e5e15
SHA256

edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e
SHA512

4134b36420aa94c58629f60d89c55ef2e5cf26232bac0de8cbae59f152320522dd4b50dede79e98ce14b064ca6982369dee8634f8e81f2a3466c60c912548d76
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvCD:hDXWipuE+K3/SSHgxmaD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	DEM8AD2.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM8AD2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1676	2792	edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe	31
PID 2792 wrote to memory of 1676	2792	edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe	31
PID 2792 wrote to memory of 1676	2792	edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe	31
PID 2792 wrote to memory of 1676	2792	edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe	31

C:\Users\Admin\AppData\Local\Temp\edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe
"C:\Users\Admin\AppData\Local\Temp\edcd749e8e18319884f696edf8635d515bd981a3bdbb725d06c59712e1facf5e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\DEM8AD2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8AD2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\DEMDFF3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDFF3.exe"
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\DEM34E6.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM34E6.exe"
      4⤵
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\DEM8A17.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A17.exe"
        5⤵
        
        PID:796
      - C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe"
        6⤵
        
        PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM34E6.exe

Filesize
16KB

MD5
588c0e2bc2d9c7437f09bdabff499656

SHA1
a1d1fd4982b29e19c06a8b30dacc3d7cd3a93b95

SHA256
741e59e0586c933f16d3d4f267b6829b5fa777319592018f86aee5eb28750367

SHA512
866db07699dd9e3f576b41276386c19d4bc88839c5da6f789fc4990c32a619ff4af2b7a4d73bfa8ce0d7b6699edbebd342e2a2f0dd7ec82aab6cc1bb6f499d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8A17.exe

Filesize
16KB

MD5
d26135f4657b75cd6000080c8e721ed1

SHA1
c171ff517dc034cc1550d13274a01e037626c837

SHA256
6e8f8345c3c6b283515c430e90b6afb0f424e7cdc477d77ba238efeadee84272

SHA512
211477c0b93a8a031f9a6f5e5ebb0edd92d6ed832e9ab71a124ef8040741bd3218eb1388e7bfd2a4f6dc4a044bd1923719e1f0ec85914c73306efd0ae1766e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8AD2.exe

Filesize
16KB

MD5
9bfe046f2896b6b92922f9a2b38c8cfc

SHA1
737fbddd7781e676a245e7a40b0ea56033f372be

SHA256
205296c90849154d6eb8ef102d08625516727b467bf7fa0fdea0b7b1605fb345

SHA512
3efe46be889c456b18a8b6c689a7c6f63e395aa18cbb1089ffe852f5078540c65de5e8c643e5cd001ff83490833a5d710e95626e7ab41c1ab5071db2b753dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe

Filesize
16KB

MD5
cc053c2b5105ff611036bdb635f2e4c0

SHA1
bcbd93cfb24c29d21240ed399a27130322035e0a

SHA256
9b81a10faebebca1b9218b8536a65f557e832356984b2000e0424f672d267140

SHA512
c5b54ab8fe8707d02c3146f249baaf8acbf2bc66bf66db48abd4a3dd6fa114da7496d9951db032cdab7d74f5f3f55af0f0af24b5dec997b051f1cc9774ea6a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDFF3.exe

Filesize
16KB

MD5
45a09c71bc51a93a78a923c3ca3705ee

SHA1
2a76f6f3c7a7535f2cdf0154042c0e8f45d81276

SHA256
c5d6ea2133ff160b180f085052bb994e3d0c8be207120338bd835e4ef37edaec

SHA512
859f2285d5d028991d8a80f2c453097a84e94c511e95f60a49983db67ac080bfb519bdb0d3d48ab322d6b54d7db615d0c84e67e2e66867bb03141c030e0aa6e9

Download Submit