Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 11:06
Static task
static1
Behavioral task
behavioral1
Sample
1009ea531d3d797473a9dc83253ccbae.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1009ea531d3d797473a9dc83253ccbae.exe
Resource
win10v2004-20231215-en
General
-
Target
1009ea531d3d797473a9dc83253ccbae.exe
-
Size
14KB
-
MD5
1009ea531d3d797473a9dc83253ccbae
-
SHA1
9a71c4e1ee8985e31daf199c0949ea5f04029e72
-
SHA256
ef0c9f16b25112683141dfb647fe35ff5889a432070769fb0ec9893f20828180
-
SHA512
60e651930504f3d3fec18ce1f89a105a02bce3785e4fd6cdc923e4d06916bd298bcaa24198e0d73e535819354fa90d6754aa4e1ebcd4d6d6c53a673040a2ba29
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cU:hDXWipuE+K3/SSHgx8
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2688 DEM48B4.exe 2228 DEM9FF7.exe 2944 DEMF5F3.exe 2604 DEM4C4C.exe 2884 DEMA229.exe 1328 DEMF798.exe -
Loads dropped DLL 6 IoCs
pid Process 1744 1009ea531d3d797473a9dc83253ccbae.exe 2688 DEM48B4.exe 2228 DEM9FF7.exe 2944 DEMF5F3.exe 2604 DEM4C4C.exe 2884 DEMA229.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2688 1744 1009ea531d3d797473a9dc83253ccbae.exe 29 PID 1744 wrote to memory of 2688 1744 1009ea531d3d797473a9dc83253ccbae.exe 29 PID 1744 wrote to memory of 2688 1744 1009ea531d3d797473a9dc83253ccbae.exe 29 PID 1744 wrote to memory of 2688 1744 1009ea531d3d797473a9dc83253ccbae.exe 29 PID 2688 wrote to memory of 2228 2688 DEM48B4.exe 33 PID 2688 wrote to memory of 2228 2688 DEM48B4.exe 33 PID 2688 wrote to memory of 2228 2688 DEM48B4.exe 33 PID 2688 wrote to memory of 2228 2688 DEM48B4.exe 33 PID 2228 wrote to memory of 2944 2228 DEM9FF7.exe 35 PID 2228 wrote to memory of 2944 2228 DEM9FF7.exe 35 PID 2228 wrote to memory of 2944 2228 DEM9FF7.exe 35 PID 2228 wrote to memory of 2944 2228 DEM9FF7.exe 35 PID 2944 wrote to memory of 2604 2944 DEMF5F3.exe 38 PID 2944 wrote to memory of 2604 2944 DEMF5F3.exe 38 PID 2944 wrote to memory of 2604 2944 DEMF5F3.exe 38 PID 2944 wrote to memory of 2604 2944 DEMF5F3.exe 38 PID 2604 wrote to memory of 2884 2604 DEM4C4C.exe 39 PID 2604 wrote to memory of 2884 2604 DEM4C4C.exe 39 PID 2604 wrote to memory of 2884 2604 DEM4C4C.exe 39 PID 2604 wrote to memory of 2884 2604 DEM4C4C.exe 39 PID 2884 wrote to memory of 1328 2884 DEMA229.exe 41 PID 2884 wrote to memory of 1328 2884 DEMA229.exe 41 PID 2884 wrote to memory of 1328 2884 DEMA229.exe 41 PID 2884 wrote to memory of 1328 2884 DEMA229.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\1009ea531d3d797473a9dc83253ccbae.exe"C:\Users\Admin\AppData\Local\Temp\1009ea531d3d797473a9dc83253ccbae.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\DEM48B4.exe"C:\Users\Admin\AppData\Local\Temp\DEM48B4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\DEM9FF7.exe"C:\Users\Admin\AppData\Local\Temp\DEM9FF7.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\DEMF5F3.exe"C:\Users\Admin\AppData\Local\Temp\DEMF5F3.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\DEM4C4C.exe"C:\Users\Admin\AppData\Local\Temp\DEM4C4C.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\DEMA229.exe"C:\Users\Admin\AppData\Local\Temp\DEMA229.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\DEMF798.exe"C:\Users\Admin\AppData\Local\Temp\DEMF798.exe"7⤵
- Executes dropped EXE
PID:1328
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53b77460f3f42d57777dbd6d63a70ddc5
SHA1842c0a770735fb46c19e5a729d961bac9fbc8f2c
SHA256aecaeffe456a112fb915854ca746cdaef41fa098e1bc710e8a3221bff196fc96
SHA512bebbc9ebbed6417c02cdbdbf93ff2f6e26afc9cdfba2c6aec807bacc10232e8c4cff43053dc26fc8adb35e99846b4951a71b8bf176d5b1298be9479aeb1454f6
-
Filesize
14KB
MD5d44b06055f3536a15547382835f74638
SHA1e22af732395f7fff73519cd50686557441bcf5bc
SHA25656ff904aab4a90b875e575b9e24d8a29f068ad791dad2a3818f05274cf1262f9
SHA512ead23c9e1c1cce9877c8f90175ed631570fc8a3e736b0c94699a3da6eb078c1edbe15a10dd639cb4d00d8cb9d659c6b7cbcc9619df5752413c0670fb4416bd2f
-
Filesize
14KB
MD5b0bd42749713b8298ed86fcef5b560aa
SHA1a1d6b3079a33badd4f69161d2133f220b653f3c7
SHA2566cf601c4ce4add407e963eac3a4e01a9ecfc23e230db843907cc8493006e9de8
SHA512631cc338a98367aa4be48e48f8c67b9bd286e15d748e02b8df9aa885453134365fbcdba7f5cf73366b8f7fd995f1b9d92acae98641eb89a38d6d8bdf47eed090
-
Filesize
14KB
MD5290cd12f97627c9173a501d68623be4c
SHA1d7433509e116634089e46ac9af0059eb2fadf638
SHA256525b945d94733112d57d2f16f030b414a8446a0249db377d846ae4f67bdb7793
SHA51269ab8d17d3febe5563c3582e76427aacc92416a6d4ee9fb8a63cc91858de4f21a7a6e8593c5256651ef558a1b33a20f73eae7729bc70325f1369a32482e5ea07
-
Filesize
14KB
MD53d637ed6eed60ee9a652a4d133fef251
SHA1c7e113c1ddd02cf8b6f8e41c9c6f31efe2604301
SHA256a9c766ab460c4bc790834572a88941c5ffddcea50d1444f0bc44591a60ec0e83
SHA512ad2c9af755b32ef8ad356ae9d2ebb1a76c3e281e0af326444ecd5f6c5f08c2ff1490309b830712418f44a375e2e68c6cfe4ac7f804fadecc1aa7bdc9dfc09293
-
Filesize
14KB
MD5b64bc09f72789301068a35c5bbb027bd
SHA1e610c320a03ac9976c6a27282c5fc6156c55d0e6
SHA256616e1e51357aa57449cb3acea3c8d8aa075343528bfd12324fa51867a03cf3b5
SHA5125ad22505fa0c037af68d4599598b5c9dfcb5cdbf1fa395df8759fa4265c944a2fd513fc2d93b0f9a8d1f66e2a901ef6069c2a45e7e728605b7f322661cdbf5d9