b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f

General

Target

b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
Size

15KB
MD5

8fc3a6721184dacfb86247d33398f5b8
SHA1

37e8b741e43465fe6e4416197380a274b81cb1a1
SHA256

b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f
SHA512

af10c4d75f73fb72554b624f57959350191c58fe81e3f9681ace6368940d0e2971819744ab9159c0dfb4b5412a3a2026549a53e66cd46db53a50a2cd70c4f692
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJkz:hDXWipuE+K3/SSHgxmlOc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2956	DEM98F5.exe
2832	DEMF048.exe
2548	DEM4653.exe
2740	DEM9D58.exe
1548	DEMF41F.exe

Loads dropped DLL 5 IoCs

pid	Process
1688	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
2956	DEM98F5.exe
2832	DEMF048.exe
2548	DEM4653.exe
2740	DEM9D58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM98F5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM9D58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2956	1688	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	31
PID 1688 wrote to memory of 2956	1688	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	31
PID 1688 wrote to memory of 2956	1688	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	31
PID 1688 wrote to memory of 2956	1688	b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe	31
PID 2956 wrote to memory of 2832	2956	DEM98F5.exe	33
PID 2956 wrote to memory of 2832	2956	DEM98F5.exe	33
PID 2956 wrote to memory of 2832	2956	DEM98F5.exe	33
PID 2956 wrote to memory of 2832	2956	DEM98F5.exe	33
PID 2832 wrote to memory of 2548	2832	DEMF048.exe	35
PID 2832 wrote to memory of 2548	2832	DEMF048.exe	35
PID 2832 wrote to memory of 2548	2832	DEMF048.exe	35
PID 2832 wrote to memory of 2548	2832	DEMF048.exe	35
PID 2548 wrote to memory of 2740	2548	DEM4653.exe	38
PID 2548 wrote to memory of 2740	2548	DEM4653.exe	38
PID 2548 wrote to memory of 2740	2548	DEM4653.exe	38
PID 2548 wrote to memory of 2740	2548	DEM4653.exe	38
PID 2740 wrote to memory of 1548	2740	DEM9D58.exe	40
PID 2740 wrote to memory of 1548	2740	DEM9D58.exe	40
PID 2740 wrote to memory of 1548	2740	DEM9D58.exe	40
PID 2740 wrote to memory of 1548	2740	DEM9D58.exe	40

C:\Users\Admin\AppData\Local\Temp\b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe
"C:\Users\Admin\AppData\Local\Temp\b84a39096fb37fb89ccbb7fa409e3bbf458b232631d9f8853bb3559e19adba1f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\DEM98F5.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM98F5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\DEMF048.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF048.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\DEM4653.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4653.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\DEM9D58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9D58.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\DEMF41F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF41F.exe"
        6⤵
        Executes dropped EXE
        
        PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMF048.exe

Filesize
15KB

MD5
a4918e3270aba2880dc4fc82e1bcdd38

SHA1
5b8fef796159c711442e9319edf121265a73c0d3

SHA256
fd828b4fb7ac5fd1511ac74b534c689d777319580d12e14125ca4df5bdddaef3

SHA512
4604ac7e4a80e835083a29e56e9973b24e65360552c643fab6bbcafeb5d32390f156856364ddef4b6cead1ecc0c866145fd43d387aefe452421adcb23dd1ee66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF41F.exe

Filesize
15KB

MD5
709f04d5c510b5e46aed24259bf4346d

SHA1
f161cbe3b1af86741fb381de4828ac87f8a0401c

SHA256
8f26d40fcb8cfcd297ae05801b14b35cf8f2615c32c813fb95c7bcd57715cf88

SHA512
b19985bc47bc90148c19f3b26d8783d4731c06392f3cf8eca302bb32c9e54af4a7a1e0f49a024ee2ce25c6bc19fba25ce493815436d0b08c71a3571a549db9cb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4653.exe

Filesize
15KB

MD5
027f5d9d06abf329b403a2894f5eb7e1

SHA1
819e22ea6e2c6311a02abb1f705fb0f42b696b91

SHA256
d5aae8f4374120be201e79fa62326f5b91cd8d1d14792fdf7d8b99de2ed54627

SHA512
1e57e0e204113cebde6cf0364a6731a21a1cb6ec13bdec054579d6bdefdbd56cf65e2f4744fde7f00412bf29ef674347eaf5ae53fc53953b07a42fe57744021a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM98F5.exe

Filesize
15KB

MD5
af73ebd0510ed11c47ea0ba91f2193ca

SHA1
499fcb4d386783770c70c97b453214b4cbec8512

SHA256
e20c14173874a196f12298b00bd8df09a6bb490752991106de9294e7139517a9

SHA512
97b674499ecde21d3722db49188d7785039c64be57e53fc0258e5597d9f9d1b5279061bcd770ff85c2292103dc50795952bde7d7c6fa90c5188db2ff89fbe204

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9D58.exe

Filesize
15KB

MD5
c2e666e1ab6cd0195b7b2e99884b8332

SHA1
e7d981f381f8a0e74d8a79c95a155219fc0190d2

SHA256
7974fdb3c2cde29d78a6092f942030b235f5e592000322b283187809b71f97bd

SHA512
3221439fdb9fa5ae51c40bc59fa43978853d8c26667e149d1284c29ef8337ae69628632f393ee5046f78244ce8b645343e68c3b2f21b628b3cc0e53b3c0d6a5b

Download Submit

Analysis

Sharing