f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485

General

Target

f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe
Size

14KB
MD5

34a364436280475d702682b1030747c3
SHA1

1266b780c30ac13b3dd45141984ec4311ddce655
SHA256

f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485
SHA512

52c9251e7475370305599c38b086b5ffe24e0458ea68f692e0b1a57895ed68edc27a91707cf4b9d4b70915b0eb1352092981eb819de4cb40d99b0c6765cbd119
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0DcAv:hDXWipuE+K3/SSHgx4rv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1536	DEM1B6D.exe
2620	DEM70AD.exe
2960	DEMC5BF.exe
632	DEM1AE0.exe
1712	DEM7011.exe

Loads dropped DLL 5 IoCs

pid	Process
2196	f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe
1536	DEM1B6D.exe
2620	DEM70AD.exe
2960	DEMC5BF.exe
632	DEM1AE0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1B6D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM70AD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMC5BF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM1AE0.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1536	2196	f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe	31
PID 2196 wrote to memory of 1536	2196	f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe	31
PID 2196 wrote to memory of 1536	2196	f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe	31
PID 2196 wrote to memory of 1536	2196	f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe	31
PID 1536 wrote to memory of 2620	1536	DEM1B6D.exe	33
PID 1536 wrote to memory of 2620	1536	DEM1B6D.exe	33
PID 1536 wrote to memory of 2620	1536	DEM1B6D.exe	33
PID 1536 wrote to memory of 2620	1536	DEM1B6D.exe	33
PID 2620 wrote to memory of 2960	2620	DEM70AD.exe	35
PID 2620 wrote to memory of 2960	2620	DEM70AD.exe	35
PID 2620 wrote to memory of 2960	2620	DEM70AD.exe	35
PID 2620 wrote to memory of 2960	2620	DEM70AD.exe	35
PID 2960 wrote to memory of 632	2960	DEMC5BF.exe	37
PID 2960 wrote to memory of 632	2960	DEMC5BF.exe	37
PID 2960 wrote to memory of 632	2960	DEMC5BF.exe	37
PID 2960 wrote to memory of 632	2960	DEMC5BF.exe	37
PID 632 wrote to memory of 1712	632	DEM1AE0.exe	40
PID 632 wrote to memory of 1712	632	DEM1AE0.exe	40
PID 632 wrote to memory of 1712	632	DEM1AE0.exe	40
PID 632 wrote to memory of 1712	632	DEM1AE0.exe	40

C:\Users\Admin\AppData\Local\Temp\f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe
"C:\Users\Admin\AppData\Local\Temp\f951296a40dcaeb357ef910ef309a883235ef584bd31c30cc8558eeb9d762485.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\DEM1B6D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1B6D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\DEM70AD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM70AD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\DEMC5BF.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC5BF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\DEM1AE0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1AE0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\DEM7011.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7011.exe"
        6⤵
        Executes dropped EXE
        
        PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1B6D.exe

Filesize
15KB

MD5
a758bbc1f2ea31d894a0f9258ef3c227

SHA1
77b7ccce5c9d50f662ccef3537bd0320c8082d84

SHA256
2c6826a49933125132c5f399528748fbe77dccf192cc150b39dd27d0480b8d2d

SHA512
0ebf07b6a024089eb2e8e6baa209042671966d440991976e678c8376cc9a3fcb4c80c1d7ddf2c9d824843509db8c124df05c15e81d6992b5da6a1fc1fae12022

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM70AD.exe

Filesize
15KB

MD5
6782022cc6a063a85969754281672363

SHA1
e000222f34398b716508acaafbb60865d0f2735b

SHA256
a2b7fa123fa106fbac14a342df88895f21a55808bd1ce99e3a852234620fbd11

SHA512
3f5ccfd35b8b6d5646595b4ff9bebbc6d448aada5d3fcc7f16d96302693e19edf1b55f4e4c122d38797adba6e2088da0473d7ebe3c11d969a4da1924130a12c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC5BF.exe

Filesize
15KB

MD5
bf141f96fcce49cb9b0c8755b1a753d4

SHA1
81a3677a8ab1e509b4a7c498b3b4f191e538bdb0

SHA256
1c60734e7c381a23c9670207de13f8c4a1db6aab5de9e9c8cd77237ad543cfa1

SHA512
d237615e995806665d1205afd06ea730290d53ac9d2308ab648750337fb0f65851894d4cbe4c0b498114aa02bd4ddd152b4117faf47f66962fa0e8dcd268e634

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1AE0.exe

Filesize
15KB

MD5
c63aecea0cb8f5839aa634d608b3a782

SHA1
d34ef951acd2411c67c5fc0d37ba18083469d436

SHA256
83cba8e619c8054af453fbe5bf0208cced5f8bc3ac0c2922ec45a830cdaf8157

SHA512
ea1fb1943f3bad34c0ede745180c4911fa790ec309b77aa5a8a9cbcc0bd9e152195b70bd5cc81cceaba1882b7925ea29ef1c3a9ec2ccf7748233e4866adb988d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7011.exe

Filesize
15KB

MD5
352b7c88ad6005bfb6285cde6c2de6f6

SHA1
de5ec2bb642feae7feebb1538d8bc405274d4df4

SHA256
e08078ecae044c0f1bcd825e92e4d0bb8169e43f99d178713aea3facf66caa33

SHA512
d4eff85b6b1b3e13a2b43d0ace820d96fe31f05584e9a044aff74e63ab22659ad96b2292a64dca44aa7b8dcaa4cead942d7b531917423a4842792b0ca38bde75

Download Submit

Analysis

Sharing