59cdce9bb4f2de55633869834dec6695c880032fb5b7e053da34b17f173b87e5

General

Target

0f824124f6d7bf55ff9301e499fb087f.exe
Size

15KB
MD5

0f824124f6d7bf55ff9301e499fb087f
SHA1

93ab6e6cc250554b1a6f5bc70cb89d0d602842ff
SHA256

59cdce9bb4f2de55633869834dec6695c880032fb5b7e053da34b17f173b87e5
SHA512

60e203903a87828b758682283bc8f39884344fab0d3dfdff9c3108a2700d65dd084ed3b0ee31e3cda7b79e3a2563b42893ad6e54830a19ed503e9a10c30ddf64
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPaJ:hDXWipuE+K3/SSHgxmkCJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2640	DEM1DFC.exe
2708	DEM738B.exe
2944	DEMC986.exe
1640	DEM1E69.exe
2904	DEM735C.exe
2008	DEMC86D.exe

Loads dropped DLL 6 IoCs

pid	Process
1724	0f824124f6d7bf55ff9301e499fb087f.exe
2640	DEM1DFC.exe
2708	DEM738B.exe
2944	DEMC986.exe
1640	DEM1E69.exe
2904	DEM735C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2640	1724	0f824124f6d7bf55ff9301e499fb087f.exe	29
PID 1724 wrote to memory of 2640	1724	0f824124f6d7bf55ff9301e499fb087f.exe	29
PID 1724 wrote to memory of 2640	1724	0f824124f6d7bf55ff9301e499fb087f.exe	29
PID 1724 wrote to memory of 2640	1724	0f824124f6d7bf55ff9301e499fb087f.exe	29
PID 2640 wrote to memory of 2708	2640	DEM1DFC.exe	31
PID 2640 wrote to memory of 2708	2640	DEM1DFC.exe	31
PID 2640 wrote to memory of 2708	2640	DEM1DFC.exe	31
PID 2640 wrote to memory of 2708	2640	DEM1DFC.exe	31
PID 2708 wrote to memory of 2944	2708	DEM738B.exe	36
PID 2708 wrote to memory of 2944	2708	DEM738B.exe	36
PID 2708 wrote to memory of 2944	2708	DEM738B.exe	36
PID 2708 wrote to memory of 2944	2708	DEM738B.exe	36
PID 2944 wrote to memory of 1640	2944	DEMC986.exe	38
PID 2944 wrote to memory of 1640	2944	DEMC986.exe	38
PID 2944 wrote to memory of 1640	2944	DEMC986.exe	38
PID 2944 wrote to memory of 1640	2944	DEMC986.exe	38
PID 1640 wrote to memory of 2904	1640	DEM1E69.exe	39
PID 1640 wrote to memory of 2904	1640	DEM1E69.exe	39
PID 1640 wrote to memory of 2904	1640	DEM1E69.exe	39
PID 1640 wrote to memory of 2904	1640	DEM1E69.exe	39
PID 2904 wrote to memory of 2008	2904	DEM735C.exe	41
PID 2904 wrote to memory of 2008	2904	DEM735C.exe	41
PID 2904 wrote to memory of 2008	2904	DEM735C.exe	41
PID 2904 wrote to memory of 2008	2904	DEM735C.exe	41

C:\Users\Admin\AppData\Local\Temp\0f824124f6d7bf55ff9301e499fb087f.exe
"C:\Users\Admin\AppData\Local\Temp\0f824124f6d7bf55ff9301e499fb087f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1DFC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\DEM738B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM738B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\DEMC986.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC986.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Local\Temp\DEM1E69.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1E69.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Users\Admin\AppData\Local\Temp\DEM735C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM735C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\DEMC86D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC86D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1E69.exe

Filesize
15KB

MD5
0fba7a71b1d334e948d894749f7127c9

SHA1
3bda5524e66900be0cf53b05542240de04b44b19

SHA256
f5e427c6243fd8ba6ab38e229624a8433aaf478fd0f033b8c0fa447ea0deac06

SHA512
31242025e7fe735bf6e9be8a96f4f4a3ae791fdc95d61a2a0dfae5da9f77d44579762608d966348217b9778d17eed1500f6498cc4e01b4e10363aaf9bc6f1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM735C.exe

Filesize
15KB

MD5
9d01018e3796ca7dcb4a4cefd4e94754

SHA1
a79a3e68463d6090285b8157d89c646073fa59bc

SHA256
3b4a0099614f3181e19983163b2749041e2bce897224ff212b2a039e812104c5

SHA512
c772cccaef3a1b2b029b58a3c7ea0ef3345b5bd19ddb88a05b7646c3d812250d62f0599f8b599fc2fddf16db618c1fc6b43e4cc4ce56cedcc07f0ccff4661caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM738B.exe

Filesize
15KB

MD5
eb4f465221ff83976edf1dc73af338f2

SHA1
29b2d69b5a737c646b00836487106c06dad513d4

SHA256
c155f4ccd0b68c11303c71a13239e77e9d65ec60be240f0f961ebe0cf93f3afb

SHA512
7a1fbf4f05760d68b46f57c572e8b1f8fac3081dd686e61decef0a969c66d9353fff99379f8848a461299271262fc85ec0f9734fead7306ea10732b0a64e2d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC986.exe

Filesize
15KB

MD5
80090a94fdd16333bcd53ec7a1cfe1b7

SHA1
25cf03fe99bdaa85464ba0bae61beb3ef7892064

SHA256
d836a134e99a217bd7ef68441799321811edd289250051bae5719b81d7065105

SHA512
cd1873ce0bee87948731d0497adec603773594a1270cfac333f52d92cfee332e35a67daa08658adbfe46957227a59bbf90a2e363ee75bd90300c3c6ceec1db4f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1DFC.exe

Filesize
15KB

MD5
391b5d252462a6fbba1c86c44ae55816

SHA1
df7344a251713319e7ba0c931c1fdda4db87671f

SHA256
69a88156a26130c20d27c527e03c5cafcc446f3e65b00af135d47b69a79db117

SHA512
4c4778ce93319a363500709e5d675d940f028a381f21e093b161c4a72c9937ac173c1d6311b2d4f280006e39213560b086d07d0bcaac99556252bf18ef619c57

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC86D.exe

Filesize
15KB

MD5
37521003101151320ce15318bbea02f3

SHA1
1f5eb8ddbd3eb91850bf0cf90ec2579ac2f2d423

SHA256
50acd375f4fdf0f0d77d980f702769392f6bbed80b29e824879a2d863e871ed1

SHA512
f69888fc39e55acad066b3819b948bfc722e2091d72a589cde2a97a084892bf356ff4b932da8ee93a2176a507c6ddf2cf602787c147f885f0eb189d96d8f76a6

Download Submit

Analysis

Sharing