eda7d25ba46610a964877ae1536922f3cc2fdfad7e3786e4d51ebde6cf103ca4

General

Target

b05ed7572f180c53430cff8ec6fa600a.exe
Size

15KB
MD5

b05ed7572f180c53430cff8ec6fa600a
SHA1

31647edcc5e4237fc460816625e7e3e3fc7ca2c6
SHA256

eda7d25ba46610a964877ae1536922f3cc2fdfad7e3786e4d51ebde6cf103ca4
SHA512

a3ce7f2aef6d469c0721fab450c22cb639d36b4c12bfa713504577862fe86d09ea5b9f5bc5a1250a379567cd1fcb1351af5e23ee1fe69b9138c40b5229c70ba9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxk:hDXWipuE+K3/SSHgxmHS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2736	DEM6C89.exe
2588	DEMC477.exe
736	DEM1B3E.exe
1624	DEM7169.exe
1260	DEMC84E.exe
1952	DEM1ED6.exe

Loads dropped DLL 6 IoCs

pid	Process
2112	b05ed7572f180c53430cff8ec6fa600a.exe
2736	DEM6C89.exe
2588	DEMC477.exe
736	DEM1B3E.exe
1624	DEM7169.exe
1260	DEMC84E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2736	2112	b05ed7572f180c53430cff8ec6fa600a.exe	29
PID 2112 wrote to memory of 2736	2112	b05ed7572f180c53430cff8ec6fa600a.exe	29
PID 2112 wrote to memory of 2736	2112	b05ed7572f180c53430cff8ec6fa600a.exe	29
PID 2112 wrote to memory of 2736	2112	b05ed7572f180c53430cff8ec6fa600a.exe	29
PID 2736 wrote to memory of 2588	2736	DEM6C89.exe	33
PID 2736 wrote to memory of 2588	2736	DEM6C89.exe	33
PID 2736 wrote to memory of 2588	2736	DEM6C89.exe	33
PID 2736 wrote to memory of 2588	2736	DEM6C89.exe	33
PID 2588 wrote to memory of 736	2588	DEMC477.exe	35
PID 2588 wrote to memory of 736	2588	DEMC477.exe	35
PID 2588 wrote to memory of 736	2588	DEMC477.exe	35
PID 2588 wrote to memory of 736	2588	DEMC477.exe	35
PID 736 wrote to memory of 1624	736	DEM1B3E.exe	37
PID 736 wrote to memory of 1624	736	DEM1B3E.exe	37
PID 736 wrote to memory of 1624	736	DEM1B3E.exe	37
PID 736 wrote to memory of 1624	736	DEM1B3E.exe	37
PID 1624 wrote to memory of 1260	1624	DEM7169.exe	39
PID 1624 wrote to memory of 1260	1624	DEM7169.exe	39
PID 1624 wrote to memory of 1260	1624	DEM7169.exe	39
PID 1624 wrote to memory of 1260	1624	DEM7169.exe	39
PID 1260 wrote to memory of 1952	1260	DEMC84E.exe	41
PID 1260 wrote to memory of 1952	1260	DEMC84E.exe	41
PID 1260 wrote to memory of 1952	1260	DEMC84E.exe	41
PID 1260 wrote to memory of 1952	1260	DEMC84E.exe	41

C:\Users\Admin\AppData\Local\Temp\b05ed7572f180c53430cff8ec6fa600a.exe
"C:\Users\Admin\AppData\Local\Temp\b05ed7572f180c53430cff8ec6fa600a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\DEM6C89.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6C89.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\DEMC477.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC477.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\DEM1B3E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM1B3E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:736
    - - C:\Users\Admin\AppData\Local\Temp\DEM7169.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7169.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\DEMC84E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC84E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\DEM1ED6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1ED6.exe"
        7⤵
        Executes dropped EXE
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMC477.exe

Filesize
15KB

MD5
813a4db6812f690fc57a252cb3c800f6

SHA1
87d55dbce034835cb408a66cd40320336ba82d26

SHA256
b3e953cff66d12da5fe3ed188602ba4ee26b48183b0f4cade4747e76b4ed1eb7

SHA512
e588db327cf55a3d30327a22e74024fe7485c1adb7505cc37da8f249dfdfc3b746f22228c01ae8f764796ab5d060c7fc050fdc0c360c17b223c789ab33ea4e6f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1B3E.exe

Filesize
15KB

MD5
1c203da6065932e7e63de168f1ce637c

SHA1
4188c1402f38b5ed0b1b10e6776641b1351418d7

SHA256
a82197e93d63575126a174e646937d048b87607b17baa8e29c06c063c34c66b7

SHA512
afacdd9f57b5084653a51d8bdb79239e638fa6fbbd0b2242d44fe211dfb4bbd9b3a7a97484cafac86f53d0e44419bddfb6024bde3cdf15e422ebee6a8c0dd864

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1ED6.exe

Filesize
15KB

MD5
00e28d9b56dc2f72552eccbf1aaeced3

SHA1
1ed2dd8a220230fd2ade0eebd9d0a3ddad451787

SHA256
e387ee07b48251bca22d2b07983ec3e726af7f9ed3edbf0829003ed6ba0bfa65

SHA512
26e0535d119b1b98097602c85c9a829a6fd427fe17cb4d88b176b46d9ee690071c3327db9447af22fba3baf5304f78544436cfbd2dbb783fd401a4f68b1ce8df

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6C89.exe

Filesize
15KB

MD5
535a427abd71d728c85024bef52c5e4a

SHA1
0886bd54267fb4e7d43d03ab37cfe59450653c38

SHA256
4b4fc3d486b12e93a14b4a8ca5985605b0b453265ea03ee8024bfb846110c2c5

SHA512
8157eeb7d6502d6f996481ec228e593d2f5f6819a9160ba660cdcbb60a34261a6caed82d1b50d3a6165b574cd481afdeed255e7eebdec784fcc051e9f8e29cd8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7169.exe

Filesize
15KB

MD5
06a742def9fe337e60dfbd8311b83b51

SHA1
242ca0eb33d2e16448df672a6e6e9ffa17af6be4

SHA256
479a9017921de8205a14c1220ff02f95504dd4840c28dba9205c6a04c9f5cf5a

SHA512
3ddaec865a282599c90655d9a5fa19187252dc0030146cc3a5f44f32b42787f481c0c63adbe586a4c941b5f4b5d49647adc90a96e6619ee1c7e14a5785c264a9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC84E.exe

Filesize
15KB

MD5
5cc163d7996c8ffb05e822505e008311

SHA1
8ffa1551403ef162bcb6c7b593332d0a25ce999e

SHA256
dcf18b3d2db79412b64edc891c211e6836ed5f3c69f340d4fc67723e5f9c16c4

SHA512
4d3ed372c0ba161c3367502dcd0fb290a63635f34aa36fec4f58655f71a5a475fdb2b1c89b337305b1373765dac7ca9b050fee7687d6dff282de5263784fb8ee

Download Submit

Analysis

Sharing