a5c119e37ae4192a641c06d2ae0a838248841fb1f6a6e31b7ff66182eeb13c28

General

Target

0e7604aa19491780466bbce970d866bc.exe
Size

16KB
MD5

0e7604aa19491780466bbce970d866bc
SHA1

d1cc575f87b5193b8563c619a0769a73307cfda5
SHA256

a5c119e37ae4192a641c06d2ae0a838248841fb1f6a6e31b7ff66182eeb13c28
SHA512

7e9d2ab68f1c35c290510434fa50a857cde5158d2b70ef5657559db21dca994d4f29eba8aff2175412ee9c2230d693b9690facea5225ff30fae296853146feeb
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlHT7:hDXWipuE+K3/SSHgxmln

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2248	DEM400C.exe
2552	DEM96B4.exe
2904	DEMEC62.exe
1088	DEM43E3.exe
1116	DEM9B07.exe
1744	DEMF170.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	0e7604aa19491780466bbce970d866bc.exe
2248	DEM400C.exe
2552	DEM96B4.exe
2904	DEMEC62.exe
1088	DEM43E3.exe
1116	DEM9B07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2248	1900	0e7604aa19491780466bbce970d866bc.exe	29
PID 1900 wrote to memory of 2248	1900	0e7604aa19491780466bbce970d866bc.exe	29
PID 1900 wrote to memory of 2248	1900	0e7604aa19491780466bbce970d866bc.exe	29
PID 1900 wrote to memory of 2248	1900	0e7604aa19491780466bbce970d866bc.exe	29
PID 2248 wrote to memory of 2552	2248	DEM400C.exe	33
PID 2248 wrote to memory of 2552	2248	DEM400C.exe	33
PID 2248 wrote to memory of 2552	2248	DEM400C.exe	33
PID 2248 wrote to memory of 2552	2248	DEM400C.exe	33
PID 2552 wrote to memory of 2904	2552	DEM96B4.exe	35
PID 2552 wrote to memory of 2904	2552	DEM96B4.exe	35
PID 2552 wrote to memory of 2904	2552	DEM96B4.exe	35
PID 2552 wrote to memory of 2904	2552	DEM96B4.exe	35
PID 2904 wrote to memory of 1088	2904	DEMEC62.exe	37
PID 2904 wrote to memory of 1088	2904	DEMEC62.exe	37
PID 2904 wrote to memory of 1088	2904	DEMEC62.exe	37
PID 2904 wrote to memory of 1088	2904	DEMEC62.exe	37
PID 1088 wrote to memory of 1116	1088	DEM43E3.exe	39
PID 1088 wrote to memory of 1116	1088	DEM43E3.exe	39
PID 1088 wrote to memory of 1116	1088	DEM43E3.exe	39
PID 1088 wrote to memory of 1116	1088	DEM43E3.exe	39
PID 1116 wrote to memory of 1744	1116	DEM9B07.exe	41
PID 1116 wrote to memory of 1744	1116	DEM9B07.exe	41
PID 1116 wrote to memory of 1744	1116	DEM9B07.exe	41
PID 1116 wrote to memory of 1744	1116	DEM9B07.exe	41

C:\Users\Admin\AppData\Local\Temp\0e7604aa19491780466bbce970d866bc.exe
"C:\Users\Admin\AppData\Local\Temp\0e7604aa19491780466bbce970d866bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\DEM400C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM400C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\DEM96B4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM96B4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\DEMEC62.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEC62.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\DEM43E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM43E3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9B07.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\DEMF170.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF170.exe"
        7⤵
        Executes dropped EXE
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM96B4.exe

Filesize
16KB

MD5
557b846684e4fe549389250fa9e7062a

SHA1
4f009dbfbba4072e428d7650fb3122584e349f46

SHA256
cc298594ce0993beede6142e7732d825fc17c8dd17a25104b782c042fdaba9ce

SHA512
3e3363fdcc1b400e79be0f6e27e89959240752f38500170f78e89e049b27a2ad4c270ac3629cf900080720f71dc165a869b82c0c1ef13173299edfc33c85dd2e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM400C.exe

Filesize
16KB

MD5
cb41df528e480e4aa4be000cfeb54873

SHA1
43c9db9518a49b61e3457f68e5e491f920f888e5

SHA256
6fce54b4d2b787b80a5fcb62df18cbb8bd55f09d77a474a90e8274b677eb51bb

SHA512
3ac0272fb845c447eef0324407d9ebe5081686ce27681da29dca162e4a7fbc2438f3eb4b7a86c69ba0105fc8359517a2ecd2159d2981c982e82f72e0ce6a7269

Download Submit
\Users\Admin\AppData\Local\Temp\DEM43E3.exe

Filesize
16KB

MD5
50f519c0d8c9f5bee17ede268f9c39b8

SHA1
89a12f0be89474f7d93c018b4a9389a74d92b0d1

SHA256
5224f151f99781ea89d5d224ef93325bc3f3354abf4a9cd365b9727570f150b1

SHA512
f2deae1399013a288017c2e08b0d41290675d44dcc4b8d78e0e8ef918f5204e19d19649d9d6bbd90dcf7d3277221c5af9ee96dcf86db124d5fd4f040a8c5aa55

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9B07.exe

Filesize
16KB

MD5
d044fd9d76a40e12819b30d3e512a409

SHA1
563a084066a9290c9672659bd32357619423ffec

SHA256
94c349ff7c33a45f3c4bc8da826adf194bb925e3a84b5e042c27e67194d75dad

SHA512
bdaaec632f3336fc523a6de806837c58b47d60751eb895f4a2e11df2cf317d47bcf4cf42bc73c24a88268364497897ae52cc29fa73cc86ee910fc5ddeba4a0b4

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEC62.exe

Filesize
16KB

MD5
5c0d0a7845067925d2ce9800e97613cd

SHA1
03ca25b0e0a2764040700d75afdaefecae6c98cb

SHA256
be216e9ef1509722ba8e00b4ab1d73e4d2d0b544ee1e5a8e164a4048173c08d4

SHA512
e50b50b09ecc3e44efc6b83c487cc06bc6c7584e7fbee4fd51a6ced91c4fb6116b63977098cf2f2ce79005ea8461654a0bbf2fe71dc5cd2ee104bfde75837cbd

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF170.exe

Filesize
16KB

MD5
c959677852027b09577f8c31227227a0

SHA1
29759f98d57895bc8975adbf3aae05a9ddc69bd0

SHA256
e4731cfe6ea9049dd5230ede4f3cd560919679f94ef244e18e17732aa4a32de0

SHA512
407e9e81bf5f3a54df6558beaa1761d05a0395d34c8108a3f2c7f149e7b69fbcd94597b4c2985df5650f1acf234b3ae67d56a29c842ebe17df76853eb5596367

Download Submit

Analysis

Sharing