62c4491120d746f7a62472c41e86b270eba6b87839f2e4d4a891ebbae381f1ba

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14/07/2023, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30241bc9c468a4exeexe_JC.exe
Size

31KB
MD5

30241bc9c468a44cdebe46e41c8d948f
SHA1

059ac81890c7038aea22c89e1c6d7e4cf218813f
SHA256

62c4491120d746f7a62472c41e86b270eba6b87839f2e4d4a891ebbae381f1ba
SHA512

830dbc738f9b4ea0ef6042eddd7615af88642b97295aea10413162bea92b68ffae3a98340358522eb3c6e9a32db21f37d1fc51f3bf2bd5a6ef7abf459c729d38
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzoiM8Nekdvjl9Vz:bAvJCYOOvbRPDEgXrNekd7l9B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	demka.exe

Loads dropped DLL 1 IoCs

pid	Process
932	30241bc9c468a4exeexe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
932	30241bc9c468a4exeexe_JC.exe
1688	demka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1688	932	30241bc9c468a4exeexe_JC.exe	28
PID 932 wrote to memory of 1688	932	30241bc9c468a4exeexe_JC.exe	28
PID 932 wrote to memory of 1688	932	30241bc9c468a4exeexe_JC.exe	28
PID 932 wrote to memory of 1688	932	30241bc9c468a4exeexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\30241bc9c468a4exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\30241bc9c468a4exeexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
1b487c2d4c8db52de41b0747511b80d0

SHA1
93e66d481ecf9386d46af10a594cccd2ed182b16

SHA256
196a4ca9b2e861b8dd28b2c955e5d271d1463356938fcbe6510780e510c021ec

SHA512
7ef5188764a8d6b2ed47841c6020f9b711e36acd7fe015b57ff8739e54b7dd33cf1f081bd610d061092dc338830cff8daedaa3df5eb00b691c54dc65072dbb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
1b487c2d4c8db52de41b0747511b80d0

SHA1
93e66d481ecf9386d46af10a594cccd2ed182b16

SHA256
196a4ca9b2e861b8dd28b2c955e5d271d1463356938fcbe6510780e510c021ec

SHA512
7ef5188764a8d6b2ed47841c6020f9b711e36acd7fe015b57ff8739e54b7dd33cf1f081bd610d061092dc338830cff8daedaa3df5eb00b691c54dc65072dbb31

Download Submit
\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
31KB

MD5
1b487c2d4c8db52de41b0747511b80d0

SHA1
93e66d481ecf9386d46af10a594cccd2ed182b16

SHA256
196a4ca9b2e861b8dd28b2c955e5d271d1463356938fcbe6510780e510c021ec

SHA512
7ef5188764a8d6b2ed47841c6020f9b711e36acd7fe015b57ff8739e54b7dd33cf1f081bd610d061092dc338830cff8daedaa3df5eb00b691c54dc65072dbb31

Download Submit
memory/932-53-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/932-54-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/932-55-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1688-69-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download