6f6077fd419345d0cadec8ec5ddf13fe43ecc6faf492a43a244363bb005020ee

General

Target

b0b457433352200c9269a12a1e696e10.exe
Size

14KB
MD5

b0b457433352200c9269a12a1e696e10
SHA1

43efa9a23d97b896d0775329ebcb1bcc4b7f4f51
SHA256

6f6077fd419345d0cadec8ec5ddf13fe43ecc6faf492a43a244363bb005020ee
SHA512

4cefd36a436ec8a88098d6d8cc9a0794eabb0bd3a4d1b61494f7ec410a959bb52e3670ab53a81e2c009ee7cb02ff381d95a99da5a1d56e90faf31995dc260a0a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhL:hDXWipuE+K3/SSHgxF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2756	DEM1140.exe
2704	DEM674B.exe
2848	DEMBD08.exe
1588	DEM1314.exe
1124	DEM68C1.exe
1836	DEMBE31.exe

Loads dropped DLL 6 IoCs

pid	Process
2956	b0b457433352200c9269a12a1e696e10.exe
2756	DEM1140.exe
2704	DEM674B.exe
2848	DEMBD08.exe
1588	DEM1314.exe
1124	DEM68C1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2756	2956	b0b457433352200c9269a12a1e696e10.exe	29
PID 2956 wrote to memory of 2756	2956	b0b457433352200c9269a12a1e696e10.exe	29
PID 2956 wrote to memory of 2756	2956	b0b457433352200c9269a12a1e696e10.exe	29
PID 2956 wrote to memory of 2756	2956	b0b457433352200c9269a12a1e696e10.exe	29
PID 2756 wrote to memory of 2704	2756	DEM1140.exe	32
PID 2756 wrote to memory of 2704	2756	DEM1140.exe	32
PID 2756 wrote to memory of 2704	2756	DEM1140.exe	32
PID 2756 wrote to memory of 2704	2756	DEM1140.exe	32
PID 2704 wrote to memory of 2848	2704	DEM674B.exe	35
PID 2704 wrote to memory of 2848	2704	DEM674B.exe	35
PID 2704 wrote to memory of 2848	2704	DEM674B.exe	35
PID 2704 wrote to memory of 2848	2704	DEM674B.exe	35
PID 2848 wrote to memory of 1588	2848	DEMBD08.exe	37
PID 2848 wrote to memory of 1588	2848	DEMBD08.exe	37
PID 2848 wrote to memory of 1588	2848	DEMBD08.exe	37
PID 2848 wrote to memory of 1588	2848	DEMBD08.exe	37
PID 1588 wrote to memory of 1124	1588	DEM1314.exe	39
PID 1588 wrote to memory of 1124	1588	DEM1314.exe	39
PID 1588 wrote to memory of 1124	1588	DEM1314.exe	39
PID 1588 wrote to memory of 1124	1588	DEM1314.exe	39
PID 1124 wrote to memory of 1836	1124	DEM68C1.exe	41
PID 1124 wrote to memory of 1836	1124	DEM68C1.exe	41
PID 1124 wrote to memory of 1836	1124	DEM68C1.exe	41
PID 1124 wrote to memory of 1836	1124	DEM68C1.exe	41

C:\Users\Admin\AppData\Local\Temp\b0b457433352200c9269a12a1e696e10.exe
"C:\Users\Admin\AppData\Local\Temp\b0b457433352200c9269a12a1e696e10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\DEM1140.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1140.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\DEM674B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM674B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\DEMBD08.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBD08.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\DEM1314.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1314.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\DEM68C1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM68C1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe"
        7⤵
        Executes dropped EXE
        
        PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM674B.exe

Filesize
14KB

MD5
4bc26196c04abf7492cc3a6686f888e1

SHA1
3103ffc3704e700a0d2f6f2fe2cae2c2b23d6222

SHA256
33eca5087649d221cd93d5d41c991497d5baa0901a9759d6f1b945a3b8ab27a9

SHA512
b47c89c2d665eb4e8130fec25a22ba699ab7326c5bf123d51be1b113b6057acd88eb5fbab224b7a0f2f55946466e58bc35dddf2f4fae18394110a0997e40f558

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBE31.exe

Filesize
14KB

MD5
15bef264638f0fa8f284bb52eac879ca

SHA1
138d8dade378eac6bf0fdc0afc353136e9090ab0

SHA256
4081e3bd4811dc804fe0c2e82cc67f02f2574ec74f677b2bec92fc8dcbda0a65

SHA512
9e775204795d76f55f7fc1f053bba0ec1d707322eaa167eb59d69015aac3e66543eabb4b441b97d4ddeb87b41695f6ccd413cf5c9cc16cb33d80ef631bbc89f0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1140.exe

Filesize
14KB

MD5
e88bd105dcdf112be856da84f29d13bc

SHA1
66f7e434781f84cbc7393857e99c5bd22ff97d6d

SHA256
6122e04a746ad0b3f74cd8187be5dd7d16935153f2d2caed545f4a4eb083d783

SHA512
2068aee7528657a2d7a604cab1ffa6e354239658c7615ae2ce8c281051f431edf9361de13a4dec0cfd5947f27ab72f49d5cac89ae1c8fc88270792be173c44cb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1314.exe

Filesize
14KB

MD5
2f3a66d9f6e29a86dc01b8c2d9f678fd

SHA1
934a8c744ced7e5143a4b104e59b38c28d906b9b

SHA256
3eb656c4a6de74989fd06454c3ee7f8ca888170bc6939db6d46b3d7003888f4f

SHA512
79275396de3e62f7e376e6501429fb32e378e1c8d1a9e00ec4a2223739c48db9ca7668492428dc52c9f176ad865ed7a029bf4d5075aff7bc149b95d3208ab77d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM68C1.exe

Filesize
14KB

MD5
34c729bbd9b97ad9402f668784e53b43

SHA1
e861cef390a281472c86deefc441cb324ba41ab6

SHA256
b6eef6bc7d9b38f6c215d5cf80e638846c099375732605c98911ef7406650625

SHA512
6cce3396be349c0da09f863fd7303bee354a5a098c3799613af57f84517e339ff1dbd49cd27632bc44837bc39247f097f1fa0668732631d8b49d7e7f34f75107

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBD08.exe

Filesize
14KB

MD5
50b3d7515d3ff2f18c28756fb67bb2fe

SHA1
8b120f3b94d7aaebdf11645f63bb5716fd3176c4

SHA256
c086907694e7523405fc622281adf8499440c55dffb153996a14216c7124dab0

SHA512
f6dbf9975eb1bc9157ae6e6247f9a622522e2c14bcd5144af4d3722e1d32ab9d12b83c8e063fd9dbe506e682aa331bc9be925f838848da2d71143e4bb25940be

Download Submit

Analysis

Sharing