94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3

General

Target

94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe
Size

16KB
MD5

5427ac54feee09db3183e6fd6f368563
SHA1

3bd051eb7698fcb43c9bdc40ba0931ca835fe410
SHA256

94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3
SHA512

49d79300e4b78f69be4fc362161d2f1175a29160bbe21a21ff97b2b8a488a24385d61b57ba105f0335aa059e358a816cedbaeb5bb00131572df397f029bc01d5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0FY:hDXWipuE+K3/SSHgxm0m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2756	DEMAF62.exe
2972	DEM4A2.exe
556	DEM5ABD.exe
2612	DEMAFFE.exe
2804	DEM56D.exe

Loads dropped DLL 5 IoCs

pid	Process
1300	94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe
2756	DEMAF62.exe
2972	DEM4A2.exe
556	DEM5ABD.exe
2612	DEMAFFE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM5ABD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAFFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMAF62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4A2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2756	1300	94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe	32
PID 1300 wrote to memory of 2756	1300	94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe	32
PID 1300 wrote to memory of 2756	1300	94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe	32
PID 1300 wrote to memory of 2756	1300	94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe	32
PID 2756 wrote to memory of 2972	2756	DEMAF62.exe	34
PID 2756 wrote to memory of 2972	2756	DEMAF62.exe	34
PID 2756 wrote to memory of 2972	2756	DEMAF62.exe	34
PID 2756 wrote to memory of 2972	2756	DEMAF62.exe	34
PID 2972 wrote to memory of 556	2972	DEM4A2.exe	36
PID 2972 wrote to memory of 556	2972	DEM4A2.exe	36
PID 2972 wrote to memory of 556	2972	DEM4A2.exe	36
PID 2972 wrote to memory of 556	2972	DEM4A2.exe	36
PID 556 wrote to memory of 2612	556	DEM5ABD.exe	38
PID 556 wrote to memory of 2612	556	DEM5ABD.exe	38
PID 556 wrote to memory of 2612	556	DEM5ABD.exe	38
PID 556 wrote to memory of 2612	556	DEM5ABD.exe	38
PID 2612 wrote to memory of 2804	2612	DEMAFFE.exe	40
PID 2612 wrote to memory of 2804	2612	DEMAFFE.exe	40
PID 2612 wrote to memory of 2804	2612	DEMAFFE.exe	40
PID 2612 wrote to memory of 2804	2612	DEMAFFE.exe	40

C:\Users\Admin\AppData\Local\Temp\94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe
"C:\Users\Admin\AppData\Local\Temp\94da95e6aebf8c61fb02443471baf97d311c251868b648c9193519a2ae923ed3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\DEMAF62.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAF62.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\DEM4A2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM4A2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\DEM5ABD.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5ABD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Users\Admin\AppData\Local\Temp\DEMAFFE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFFE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\DEM56D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM56D.exe"
        6⤵
        Executes dropped EXE
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4A2.exe

Filesize
16KB

MD5
9ee3132325a30a2af165152516f6273a

SHA1
6e679fe619c39267dac81617b3bfda97624faf76

SHA256
f11329c6bb4f99ceb6c6853e1080e42c18518e21186255fc5c666df703dfeca4

SHA512
2561c34572ea73cd9fdd0a03abb18b04f0e9434f96bbda2e66eec166f03513b6aa2d5d6d27afc0897d8b55762d9719df73f5bc0fa28b4ab4c708387c9a3864b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM56D.exe

Filesize
16KB

MD5
1b9a2abf422b05e5713b72e869a2bb74

SHA1
e3d8ebd9672c0fe6d0393b8dcbdb2daf493fd7a4

SHA256
5ccc301ffff66feebca6ebf4ba28c97766241ac396aa1a81e0109e2e6beba9b3

SHA512
70911ec6a671aaa028e983ec4664910f47bda744707c874a57cf44ca64ffa5c2d4e25e44937ac27ac8b66283bb7c29466b74b7d44c15811b22fd76bd01705912

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5ABD.exe

Filesize
16KB

MD5
1239eb4825f024bd95028a1742efebd0

SHA1
3dd835d9164b1f30bf16e207e5c79384014c74ec

SHA256
43ed2faeed28d7412492a845a8a382a86af722d4b1360a4ab4467ce300a96d94

SHA512
10665220064ffadcf06124f99974863e487930cbc3a040cd913689aa62c5fbbb5f2eeaa5b489dc709d9f50b7f115892f6e890f01e60e94120d440a396197d47e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAF62.exe

Filesize
16KB

MD5
9d729f02ed7602917de5a21eb0ab37a3

SHA1
5d3b475b637a057bbdb79e216f5cf0f7e28d84c4

SHA256
a82122187ef21800beb8813dc85558492049e48c0cbff108396129ea5f1b373b

SHA512
55421d322ec57121eeda980c1f5595ca5d3d30cceb0bb4642f440f9fc598e5667fa54d7fe2e433ac069d1050782c0006cbb9f83a374cb9c37c45a9fa1b86b9ee

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFFE.exe

Filesize
16KB

MD5
75170f243edc819fc8050399a33f083b

SHA1
72db5eb28fc85d6cd5bccb6259525a2993d8ed5a

SHA256
de26453fbfd509d03b4f99f31b80387faf049113e77ab5ebfc944f3729e3aa47

SHA512
9d9a13983fcdccd743be2fde767669f9348b6eaf8612c8dbb6afe702e7a76cf1ff9abf7104b9cafeb702835db77c7ea196a4c9a9f3eaa0c5cef104690fa98164

Download Submit

Analysis

Sharing