Analysis

  • max time kernel
    133s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 11:01

General

  • Target

    0f1fa284edb8f594618e64d8f9c15845.exe

  • Size

    14KB

  • MD5

    0f1fa284edb8f594618e64d8f9c15845

  • SHA1

    fa98e54f2545b08c68a2763f84d9314815e23a3b

  • SHA256

    78a980545f1fd29d9463861e56bf14ef9d2f6d49fee296e49f2d14fa92ef0551

  • SHA512

    77a1687878cda3e206c4f82ea6baeeb63a77c4c8a3d45e5158619ba54422fad834e2679d9aa77c450173cba6c0538c712593fbcf9b55862194daed2d616d152b

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhph:hDXWipuE+K3/SSHgxN

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f1fa284edb8f594618e64d8f9c15845.exe
    "C:\Users\Admin\AppData\Local\Temp\0f1fa284edb8f594618e64d8f9c15845.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Users\Admin\AppData\Local\Temp\DEMECDE.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMECDE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\AppData\Local\Temp\DEM4338.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM4338.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Users\Admin\AppData\Local\Temp\DEM9933.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM9933.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2292
            • C:\Users\Admin\AppData\Local\Temp\DEMEEB2.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMEEB2.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1504
              • C:\Users\Admin\AppData\Local\Temp\DEM4441.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM4441.exe"
                7⤵
                • Executes dropped EXE
                PID:768

Network

    No results found
  • 10.180.0.115:1337
    0f1fa284edb8f594618e64d8f9c15845.exe
    152 B
    3
  • 10.180.0.115:1337
    DEM96A4.exe
    152 B
    3
  • 10.180.0.115:1337
    DEMECDE.exe
    152 B
    3
  • 10.180.0.115:1337
    DEM4338.exe
    152 B
    3
  • 10.180.0.115:1337
    DEM9933.exe
    152 B
    3
  • 10.180.0.115:1337
    DEMEEB2.exe
    152 B
    3
  • 10.180.0.115:1337
    DEM4441.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4441.exe

    Filesize

    14KB

    MD5

    9838b09c98ec8284e6c8ea4c84bcf9cd

    SHA1

    e512158a7783a95c8915c6deb91824f1d77ac65c

    SHA256

    e7f2a67eb822e5eb37297c669b821c0987aa94f17b12b01dcc5e630d32af5121

    SHA512

    e8f6984b0318f5e920677107dd13fc88a6f8a06296604f8611d4b11eba4e08f4f5183c04052175e83a82cf6bb014c8cbc9fa14aba8d8fe20e683c107bb4e0625

  • C:\Users\Admin\AppData\Local\Temp\DEM96A4.exe

    Filesize

    14KB

    MD5

    e3a54b204c93091c452d903a4af6a954

    SHA1

    d1d85e31ee5683c3691ab0e2ab30b11d6ff521e7

    SHA256

    dc8df9c32db06e0776322d4da6810fc2f471ebd7fb25658ff185016ac97a11a2

    SHA512

    978114bbb50880ceb036d1099d6a069cc0fe0da3dfb96c3c1ad1745014a80b2adf43939aa2b89abaaca778d3bc2ae9044493e95ab2d18168ad75ba1b02c9cb0a

  • C:\Users\Admin\AppData\Local\Temp\DEM9933.exe

    Filesize

    14KB

    MD5

    ff8f77a9c6dc2075fdf0780e32c11ddb

    SHA1

    3b7e8f09cffef2d807e0da6ec96f4f74b57550d8

    SHA256

    e26504efe349c5230fc23098ed766775c74bb46b427bb521efb3989a73d99e98

    SHA512

    f0a17ffac961e5e7ea30538d4883f46c830ddb73bead934bff44b85c25461e45a28777388b8b54ed2618fbaa46369951c6a8786a80faea2fa31785d1ae9e904b

  • C:\Users\Admin\AppData\Local\Temp\DEMECDE.exe

    Filesize

    14KB

    MD5

    ff923651b78aca5277c638e7cbe48dbc

    SHA1

    0f0cdd6174474e08295133384fb382455b725b2f

    SHA256

    7d91ff499cdf5c0f9ce5a47aa8b5a3209c4251bce99d3e9097f0d51e1c3ab075

    SHA512

    a029c2e603084196ad6a8ef02070f044e99bc60ee272ff839604771bc17fff1c8ee19601d188de87c78a8af83b0e78babaed2eab0e4b9acbdd5ffec8888ea455

  • \Users\Admin\AppData\Local\Temp\DEM4338.exe

    Filesize

    14KB

    MD5

    a1a193202dd6990dcff9a08a6b644af6

    SHA1

    9631e0eb059b93e724154a561eea3873cf33219c

    SHA256

    07221650c2904c3c2261c636a5d9892fa933d0ff564c838fa605fd60929e1c79

    SHA512

    524439095a7be85890caea75adc7bc7b6a3e010309992a24ea8400a9e877b3cff903f8bc70ece895160f65bbbcd5721fe9a7acc8cda3c8972a5796d1d871c772

  • \Users\Admin\AppData\Local\Temp\DEMEEB2.exe

    Filesize

    14KB

    MD5

    46437689216b506729913e892d3abf65

    SHA1

    4baf4efdfb255fceebb5b0b60ee992845a3cf57f

    SHA256

    3d3f475be8fb704a77509991af28b502c36482ccaab7b569dfe5fadc75af0205

    SHA512

    27d30ba56746d07107a76bad711cc3589c62687f18a3943aa9d9068003c7019fdf4dc7b9372844774f537da65ca565e1fb52c21cc509d6378648844a35367b12

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.