301e7653a37242930010d9ae0abcce3643c6b2912dad2842b6dc9d6a229fa844

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19ae7ad249472bexeexeexeex.exe
Size

31KB
MD5

19ae7ad249472b033c1e62e257e8b590
SHA1

3a173f7375f1d17c0002270fd0664f16221aab33
SHA256

301e7653a37242930010d9ae0abcce3643c6b2912dad2842b6dc9d6a229fa844
SHA512

aae478212e630954b4535c95005a83610671081267bc5008086b58b3af15caf1e18b9774b29356cc745b335c2378da9d11a33fc5f64f3b066f437aa154ea6c20
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzogFzpjuoa:bAvJCYOOvbRPDEgXVFzpCoa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	demka.exe

Loads dropped DLL 1 IoCs

pid	Process
3032	19ae7ad249472bexeexeexeex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3032	19ae7ad249472bexeexeexeex.exe
2896	demka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2896	3032	19ae7ad249472bexeexeexeex.exe	27
PID 3032 wrote to memory of 2896	3032	19ae7ad249472bexeexeexeex.exe	27
PID 3032 wrote to memory of 2896	3032	19ae7ad249472bexeexeexeex.exe	27
PID 3032 wrote to memory of 2896	3032	19ae7ad249472bexeexeexeex.exe	27

C:\Users\Admin\AppData\Local\Temp\19ae7ad249472bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\19ae7ad249472bexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
92f498f8bc524cc8200413fc0786485b

SHA1
dd2935bd8174b06a7016a312b8c1fb4b7b1f0cec

SHA256
da47330ae710fa285187e234a1faa5a7e86d9a26087400e6138c138d4f915a00

SHA512
0e8c110ca1aae18266b03bc840a599e80f9bb133935226f300494eabd6a7c971ff51f1ccb741c25c62710411b37f786e1c2e643d5bfc588f51c8c6cb76a96f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
92f498f8bc524cc8200413fc0786485b

SHA1
dd2935bd8174b06a7016a312b8c1fb4b7b1f0cec

SHA256
da47330ae710fa285187e234a1faa5a7e86d9a26087400e6138c138d4f915a00

SHA512
0e8c110ca1aae18266b03bc840a599e80f9bb133935226f300494eabd6a7c971ff51f1ccb741c25c62710411b37f786e1c2e643d5bfc588f51c8c6cb76a96f08

Download Submit
\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
92f498f8bc524cc8200413fc0786485b

SHA1
dd2935bd8174b06a7016a312b8c1fb4b7b1f0cec

SHA256
da47330ae710fa285187e234a1faa5a7e86d9a26087400e6138c138d4f915a00

SHA512
0e8c110ca1aae18266b03bc840a599e80f9bb133935226f300494eabd6a7c971ff51f1ccb741c25c62710411b37f786e1c2e643d5bfc588f51c8c6cb76a96f08

Download Submit
memory/3032-54-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/3032-55-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download