22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea

General

Target

22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe
Size

16KB
MD5

b0e05181a30116cd1befa351b933e310
SHA1

44519a4290f97ca5ce353226aa08317c55f7a82e
SHA256

22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea
SHA512

5ec47d852cd20b0c1d6cef7d0ada97e0f3d6a2432271e1ffc9cf4cd14facdb01f26e18cd6e6591f8f351e519456ef02c39d4fbed9bb1ee995abcaa10396883d2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZlDH:hDXWipuE+K3/SSHgx3lDH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2672	DEM2BA2.exe
572	DEM81DD.exe
3044	DEMD826.exe
1120	DEM2DA5.exe
1052	DEM845C.exe

Loads dropped DLL 5 IoCs

pid	Process
2880	22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe
2672	DEM2BA2.exe
572	DEM81DD.exe
3044	DEMD826.exe
1120	DEM2DA5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2BA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM81DD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMD826.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM2DA5.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2672	2880	22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe	31
PID 2880 wrote to memory of 2672	2880	22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe	31
PID 2880 wrote to memory of 2672	2880	22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe	31
PID 2880 wrote to memory of 2672	2880	22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe	31
PID 2672 wrote to memory of 572	2672	DEM2BA2.exe	33
PID 2672 wrote to memory of 572	2672	DEM2BA2.exe	33
PID 2672 wrote to memory of 572	2672	DEM2BA2.exe	33
PID 2672 wrote to memory of 572	2672	DEM2BA2.exe	33
PID 572 wrote to memory of 3044	572	DEM81DD.exe	35
PID 572 wrote to memory of 3044	572	DEM81DD.exe	35
PID 572 wrote to memory of 3044	572	DEM81DD.exe	35
PID 572 wrote to memory of 3044	572	DEM81DD.exe	35
PID 3044 wrote to memory of 1120	3044	DEMD826.exe	38
PID 3044 wrote to memory of 1120	3044	DEMD826.exe	38
PID 3044 wrote to memory of 1120	3044	DEMD826.exe	38
PID 3044 wrote to memory of 1120	3044	DEMD826.exe	38
PID 1120 wrote to memory of 1052	1120	DEM2DA5.exe	40
PID 1120 wrote to memory of 1052	1120	DEM2DA5.exe	40
PID 1120 wrote to memory of 1052	1120	DEM2DA5.exe	40
PID 1120 wrote to memory of 1052	1120	DEM2DA5.exe	40

C:\Users\Admin\AppData\Local\Temp\22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe
"C:\Users\Admin\AppData\Local\Temp\22e724068bb8abac1701735bfa0c4880e537ef0c133e70b6c9206730dc9f6aea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\DEM2BA2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2BA2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\DEMD826.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMD826.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\DEM2DA5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM2DA5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\DEM845C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM845C.exe"
        6⤵
        Executes dropped EXE
        
        PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM2BA2.exe

Filesize
16KB

MD5
3047ff0941d494d0086a39b4c18a8ac5

SHA1
ec9f3080a6c35753829a5a473adc0d8a4c63e967

SHA256
8a21505050064707da82dc2010e3febba7d97a48309919cd5366aa20a2807155

SHA512
ebe97730f101f51ea1350f89795f3d654f548c01ecdbf6fe4254820b0ef09837378713e20a7a53d782deb46118581471a206cbd3f3110a298f3515953fc16188

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe

Filesize
16KB

MD5
9804b1820aedf61e856805a5291cfc2f

SHA1
6c0f53341fef8c603a46b339784d742691391bc5

SHA256
f3d16b65a077f9ecd91add51e63bd1fc70c7f81466288f692f9da6432821641d

SHA512
0dfd4d995784281d1ef2284502f7c59eed1d9a3d53b18e8498d11023940e5a8d5e95a6f4ec4238ffe7848d4fe69f470b19d3e59e65f1b87d58d11e1b4168705d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMD826.exe

Filesize
16KB

MD5
8843a1b20cd7213b27f263075cf681b1

SHA1
36386c3fa4f3b9fbd09c0b157b18a78cd060f683

SHA256
bd59572fd1480abc1cd3efa28a3a430a1c00cee2e1a5e4ab9572bc7b07244a32

SHA512
88e1d6929b75242209d61683a16ba613462bd63b5cbf8428d78b03863e5c50cf165a1f04e60c0aff68d4c08cff0cb64bf9511995605f23c99d7479b2cc8a203b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2DA5.exe

Filesize
16KB

MD5
669b5f80663d298591c6cb9f3bb21505

SHA1
2632ef6ff4fe4a0cce7638704964637bc32b67fa

SHA256
072afc9b82b0a5daef8e0d67672fa2b3f4a116b2c303d5cb04ae8688f7d75495

SHA512
28992dc572663854670599af42a70563af387d080e15d41cdc5501122f9dc683f474e2fab43a09e1eb8a51850b383aeecbbc06583b7d886247c5c2c73597ba8c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM845C.exe

Filesize
16KB

MD5
3fefd6bb84bb839ac4449b6b6e4aee16

SHA1
b00f4f7460652f51e98d11255929d99c39ff6ee9

SHA256
61858dc3b34c172c10712d1ab355d206b9d7e83282aa5c1da2aec4967d834a99

SHA512
5ccc02e0f96b9429630df71e60b4c3607b4ada3a7a8967a55d41bf3630bc83c8d1e7d86b970f0808161bee5dcc5a577b4deedc3002d1409e91f98247117467c0

Download Submit

Analysis

Sharing