2899f00c87090337a106bdfc3d7ccf7f862e17cdf702b68d00d235bcfaf98d0c

Analysis

max time kernel
133s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17-09-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd6380506659028c3464b145e2de680_JC.exe
Size

14KB
MD5

4dd6380506659028c3464b145e2de680
SHA1

f60c57dfdee0b05f43a6b3542ff34c24ac5882fa
SHA256

2899f00c87090337a106bdfc3d7ccf7f862e17cdf702b68d00d235bcfaf98d0c
SHA512

df53bbb7c36ae3952aea04335d3e7dfc7843f01459fdbbe05e3291c87bea47ddfaecfea7514b66708dd14040e8dfa169dcb8b7b01d7beb850d099ba22767cff4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhL:hDXWipuE+K3/SSHgxN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
848	DEM315D.exe
1712	DEM8833.exe
2484	DEMDF38.exe
2512	DEM35A1.exe
2444	DEM8B6E.exe
2852	DEME16A.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	4dd6380506659028c3464b145e2de680_JC.exe
848	DEM315D.exe
1712	DEM8833.exe
2484	DEMDF38.exe
2512	DEM35A1.exe
2444	DEM8B6E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 848	1964	4dd6380506659028c3464b145e2de680_JC.exe	29
PID 1964 wrote to memory of 848	1964	4dd6380506659028c3464b145e2de680_JC.exe	29
PID 1964 wrote to memory of 848	1964	4dd6380506659028c3464b145e2de680_JC.exe	29
PID 1964 wrote to memory of 848	1964	4dd6380506659028c3464b145e2de680_JC.exe	29
PID 848 wrote to memory of 1712	848	DEM315D.exe	33
PID 848 wrote to memory of 1712	848	DEM315D.exe	33
PID 848 wrote to memory of 1712	848	DEM315D.exe	33
PID 848 wrote to memory of 1712	848	DEM315D.exe	33
PID 1712 wrote to memory of 2484	1712	DEM8833.exe	35
PID 1712 wrote to memory of 2484	1712	DEM8833.exe	35
PID 1712 wrote to memory of 2484	1712	DEM8833.exe	35
PID 1712 wrote to memory of 2484	1712	DEM8833.exe	35
PID 2484 wrote to memory of 2512	2484	DEMDF38.exe	37
PID 2484 wrote to memory of 2512	2484	DEMDF38.exe	37
PID 2484 wrote to memory of 2512	2484	DEMDF38.exe	37
PID 2484 wrote to memory of 2512	2484	DEMDF38.exe	37
PID 2512 wrote to memory of 2444	2512	DEM35A1.exe	40
PID 2512 wrote to memory of 2444	2512	DEM35A1.exe	40
PID 2512 wrote to memory of 2444	2512	DEM35A1.exe	40
PID 2512 wrote to memory of 2444	2512	DEM35A1.exe	40
PID 2444 wrote to memory of 2852	2444	DEM8B6E.exe	42
PID 2444 wrote to memory of 2852	2444	DEM8B6E.exe	42
PID 2444 wrote to memory of 2852	2444	DEM8B6E.exe	42
PID 2444 wrote to memory of 2852	2444	DEM8B6E.exe	42

C:\Users\Admin\AppData\Local\Temp\4dd6380506659028c3464b145e2de680_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4dd6380506659028c3464b145e2de680_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\DEM315D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM315D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\DEM8833.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8833.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\DEM35A1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM35A1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\DEM8B6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8B6E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\DEME16A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME16A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM315D.exe

Filesize
14KB

MD5
53ef467598d0fc8413144855c75065fa

SHA1
e17087df5ac0000f2874d21fa6c63be3c786221a

SHA256
b7c66a21292679d037303425ca6a1a7230ffc5fb5785e6027334e77fa001873c

SHA512
b4cc3ff7ba60092d576834cd35f5d883ebfd3447e8dbb68c3bf0325239de1bcede2acefde50aae040e7040670f4e1031eb33892bff9600ed2f0b5fcb1918c7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM315D.exe

Filesize
14KB

MD5
53ef467598d0fc8413144855c75065fa

SHA1
e17087df5ac0000f2874d21fa6c63be3c786221a

SHA256
b7c66a21292679d037303425ca6a1a7230ffc5fb5785e6027334e77fa001873c

SHA512
b4cc3ff7ba60092d576834cd35f5d883ebfd3447e8dbb68c3bf0325239de1bcede2acefde50aae040e7040670f4e1031eb33892bff9600ed2f0b5fcb1918c7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM35A1.exe

Filesize
14KB

MD5
b4aeebb5f003d293528e0eb2162ff5f3

SHA1
7cdeb8f0e0e17d418170cea3738762846fc52425

SHA256
ec4c4d5b1de7a03bef1872d31acd6eed952cca1c91c6e6438b86732be9291230

SHA512
629fd956bd7a1e30e10a4bfcac7fa539eb4584e259f614f32d35ba0fa2439c23cfefb6d7a32212488252b608ac9c5fc92954c6804695bfeaf16fed2a26a8ba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM35A1.exe

Filesize
14KB

MD5
b4aeebb5f003d293528e0eb2162ff5f3

SHA1
7cdeb8f0e0e17d418170cea3738762846fc52425

SHA256
ec4c4d5b1de7a03bef1872d31acd6eed952cca1c91c6e6438b86732be9291230

SHA512
629fd956bd7a1e30e10a4bfcac7fa539eb4584e259f614f32d35ba0fa2439c23cfefb6d7a32212488252b608ac9c5fc92954c6804695bfeaf16fed2a26a8ba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8833.exe

Filesize
14KB

MD5
c367f49401fd4d67d787e5d565af1132

SHA1
9e62bad5d2a1213a9e4ae2843b021c9d062c911e

SHA256
d0b41f85605b1c8b7d20568ffc936d95e5627775c60d44b752da052409ff553d

SHA512
b1a86c4a7986cb8fa1b5fa9a526110ca99e07e531cd43dc5ca31fc2fae06c55709dccdef813acc2bf8ce3257eef576b9222f0557cf9a0cd7b5b0321aa18a5fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8833.exe

Filesize
14KB

MD5
c367f49401fd4d67d787e5d565af1132

SHA1
9e62bad5d2a1213a9e4ae2843b021c9d062c911e

SHA256
d0b41f85605b1c8b7d20568ffc936d95e5627775c60d44b752da052409ff553d

SHA512
b1a86c4a7986cb8fa1b5fa9a526110ca99e07e531cd43dc5ca31fc2fae06c55709dccdef813acc2bf8ce3257eef576b9222f0557cf9a0cd7b5b0321aa18a5fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8833.exe

Filesize
14KB

MD5
c367f49401fd4d67d787e5d565af1132

SHA1
9e62bad5d2a1213a9e4ae2843b021c9d062c911e

SHA256
d0b41f85605b1c8b7d20568ffc936d95e5627775c60d44b752da052409ff553d

SHA512
b1a86c4a7986cb8fa1b5fa9a526110ca99e07e531cd43dc5ca31fc2fae06c55709dccdef813acc2bf8ce3257eef576b9222f0557cf9a0cd7b5b0321aa18a5fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B6E.exe

Filesize
14KB

MD5
8b1e5e748919e31da7f80d95de2abb30

SHA1
a871be1ad34de25120f8906e59fe0548b824be0c

SHA256
51e737dc2cc36d6b4dc444faef0577260a459861131b4e2714c61879b6c6cf9a

SHA512
8674d6618a7c413e3c1fdd0a2f6f0e0d5faab8d592cb2139cba66c29216ba872b8956c05045670ef0ae1903f7e42d4d76600d97f947916d07753de7c30200d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8B6E.exe

Filesize
14KB

MD5
8b1e5e748919e31da7f80d95de2abb30

SHA1
a871be1ad34de25120f8906e59fe0548b824be0c

SHA256
51e737dc2cc36d6b4dc444faef0577260a459861131b4e2714c61879b6c6cf9a

SHA512
8674d6618a7c413e3c1fdd0a2f6f0e0d5faab8d592cb2139cba66c29216ba872b8956c05045670ef0ae1903f7e42d4d76600d97f947916d07753de7c30200d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe

Filesize
14KB

MD5
800c3df75b3fd0cbab3e4a65c3f9c56b

SHA1
ae770bb7d547360a08c5d318be30ec1417917799

SHA256
76aa75948c826f836c94130506cc27018f89ffbd5d86c37a2a5651c324b1de2e

SHA512
afdddbcfa1751a67256c6ed55736c1e8fc5733ab32bdc30d51f763e2dc5ba45e6dfa78f18173acf3a8679a18ea1cb705bb3908a7934fde4c4d22b06ba884a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDF38.exe

Filesize
14KB

MD5
800c3df75b3fd0cbab3e4a65c3f9c56b

SHA1
ae770bb7d547360a08c5d318be30ec1417917799

SHA256
76aa75948c826f836c94130506cc27018f89ffbd5d86c37a2a5651c324b1de2e

SHA512
afdddbcfa1751a67256c6ed55736c1e8fc5733ab32bdc30d51f763e2dc5ba45e6dfa78f18173acf3a8679a18ea1cb705bb3908a7934fde4c4d22b06ba884a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME16A.exe

Filesize
14KB

MD5
72c1acc74980f070e4aef1c12f83d958

SHA1
2094a8e857911048ef03232eff6cb6da433c91ca

SHA256
59e13fef5c65be612cf0870cde2c69dd9e59338c8472876e69c4b090a4dccf7e

SHA512
dccaeeaba83c9015b9728457f42b772d099d101632b9ecdf16a3c1027cda30d473673a2ae6afc239393da1f3a4c5d0e9c37de16db84ba2e7eae76eba26ed1737

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME16A.exe

Filesize
14KB

MD5
72c1acc74980f070e4aef1c12f83d958

SHA1
2094a8e857911048ef03232eff6cb6da433c91ca

SHA256
59e13fef5c65be612cf0870cde2c69dd9e59338c8472876e69c4b090a4dccf7e

SHA512
dccaeeaba83c9015b9728457f42b772d099d101632b9ecdf16a3c1027cda30d473673a2ae6afc239393da1f3a4c5d0e9c37de16db84ba2e7eae76eba26ed1737

Download Submit
\Users\Admin\AppData\Local\Temp\DEM315D.exe

Filesize
14KB

MD5
53ef467598d0fc8413144855c75065fa

SHA1
e17087df5ac0000f2874d21fa6c63be3c786221a

SHA256
b7c66a21292679d037303425ca6a1a7230ffc5fb5785e6027334e77fa001873c

SHA512
b4cc3ff7ba60092d576834cd35f5d883ebfd3447e8dbb68c3bf0325239de1bcede2acefde50aae040e7040670f4e1031eb33892bff9600ed2f0b5fcb1918c7c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM35A1.exe

Filesize
14KB

MD5
b4aeebb5f003d293528e0eb2162ff5f3

SHA1
7cdeb8f0e0e17d418170cea3738762846fc52425

SHA256
ec4c4d5b1de7a03bef1872d31acd6eed952cca1c91c6e6438b86732be9291230

SHA512
629fd956bd7a1e30e10a4bfcac7fa539eb4584e259f614f32d35ba0fa2439c23cfefb6d7a32212488252b608ac9c5fc92954c6804695bfeaf16fed2a26a8ba42

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8833.exe

Filesize
14KB

MD5
c367f49401fd4d67d787e5d565af1132

SHA1
9e62bad5d2a1213a9e4ae2843b021c9d062c911e

SHA256
d0b41f85605b1c8b7d20568ffc936d95e5627775c60d44b752da052409ff553d

SHA512
b1a86c4a7986cb8fa1b5fa9a526110ca99e07e531cd43dc5ca31fc2fae06c55709dccdef813acc2bf8ce3257eef576b9222f0557cf9a0cd7b5b0321aa18a5fc6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8B6E.exe

Filesize
14KB

MD5
8b1e5e748919e31da7f80d95de2abb30

SHA1
a871be1ad34de25120f8906e59fe0548b824be0c

SHA256
51e737dc2cc36d6b4dc444faef0577260a459861131b4e2714c61879b6c6cf9a

SHA512
8674d6618a7c413e3c1fdd0a2f6f0e0d5faab8d592cb2139cba66c29216ba872b8956c05045670ef0ae1903f7e42d4d76600d97f947916d07753de7c30200d92

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDF38.exe

Filesize
14KB

MD5
800c3df75b3fd0cbab3e4a65c3f9c56b

SHA1
ae770bb7d547360a08c5d318be30ec1417917799

SHA256
76aa75948c826f836c94130506cc27018f89ffbd5d86c37a2a5651c324b1de2e

SHA512
afdddbcfa1751a67256c6ed55736c1e8fc5733ab32bdc30d51f763e2dc5ba45e6dfa78f18173acf3a8679a18ea1cb705bb3908a7934fde4c4d22b06ba884a1c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEME16A.exe

Filesize
14KB

MD5
72c1acc74980f070e4aef1c12f83d958

SHA1
2094a8e857911048ef03232eff6cb6da433c91ca

SHA256
59e13fef5c65be612cf0870cde2c69dd9e59338c8472876e69c4b090a4dccf7e

SHA512
dccaeeaba83c9015b9728457f42b772d099d101632b9ecdf16a3c1027cda30d473673a2ae6afc239393da1f3a4c5d0e9c37de16db84ba2e7eae76eba26ed1737

Download Submit