a5651323622574a903e66179db7ae80352e648fee1ea6d05851a60b54b76e30d

General

Target

1022f0ec1785708d916e46ed9b50388f.exe
Size

14KB
MD5

1022f0ec1785708d916e46ed9b50388f
SHA1

892bbf1f6cf0522780acddbb44226bc64a692d87
SHA256

a5651323622574a903e66179db7ae80352e648fee1ea6d05851a60b54b76e30d
SHA512

520b4f52820d3382374c52374b670f3142a837a080cd7ade7abf0834a24ad295e6fd0026991e8ee33f7526bb8e185e28dedc5e7573a965d2d67f3fe1bdfa36b0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0E:hDXWipuE+K3/SSHgx4E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2768	DEM426D.exe
3056	DEM9869.exe
3036	DEMEDA9.exe
1588	DEM43B4.exe
2824	DEM9953.exe
1380	DEMEEC2.exe

Loads dropped DLL 6 IoCs

pid	Process
2864	1022f0ec1785708d916e46ed9b50388f.exe
2768	DEM426D.exe
3056	DEM9869.exe
3036	DEMEDA9.exe
1588	DEM43B4.exe
2824	DEM9953.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2768	2864	1022f0ec1785708d916e46ed9b50388f.exe	29
PID 2864 wrote to memory of 2768	2864	1022f0ec1785708d916e46ed9b50388f.exe	29
PID 2864 wrote to memory of 2768	2864	1022f0ec1785708d916e46ed9b50388f.exe	29
PID 2864 wrote to memory of 2768	2864	1022f0ec1785708d916e46ed9b50388f.exe	29
PID 2768 wrote to memory of 3056	2768	DEM426D.exe	33
PID 2768 wrote to memory of 3056	2768	DEM426D.exe	33
PID 2768 wrote to memory of 3056	2768	DEM426D.exe	33
PID 2768 wrote to memory of 3056	2768	DEM426D.exe	33
PID 3056 wrote to memory of 3036	3056	DEM9869.exe	35
PID 3056 wrote to memory of 3036	3056	DEM9869.exe	35
PID 3056 wrote to memory of 3036	3056	DEM9869.exe	35
PID 3056 wrote to memory of 3036	3056	DEM9869.exe	35
PID 3036 wrote to memory of 1588	3036	DEMEDA9.exe	37
PID 3036 wrote to memory of 1588	3036	DEMEDA9.exe	37
PID 3036 wrote to memory of 1588	3036	DEMEDA9.exe	37
PID 3036 wrote to memory of 1588	3036	DEMEDA9.exe	37
PID 1588 wrote to memory of 2824	1588	DEM43B4.exe	39
PID 1588 wrote to memory of 2824	1588	DEM43B4.exe	39
PID 1588 wrote to memory of 2824	1588	DEM43B4.exe	39
PID 1588 wrote to memory of 2824	1588	DEM43B4.exe	39
PID 2824 wrote to memory of 1380	2824	DEM9953.exe	41
PID 2824 wrote to memory of 1380	2824	DEM9953.exe	41
PID 2824 wrote to memory of 1380	2824	DEM9953.exe	41
PID 2824 wrote to memory of 1380	2824	DEM9953.exe	41

C:\Users\Admin\AppData\Local\Temp\1022f0ec1785708d916e46ed9b50388f.exe
"C:\Users\Admin\AppData\Local\Temp\1022f0ec1785708d916e46ed9b50388f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\DEM426D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM426D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\DEM9869.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9869.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\DEMEDA9.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEDA9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\DEM43B4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM43B4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\DEM9953.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9953.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\DEMEEC2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEEC2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM426D.exe

Filesize
14KB

MD5
cd91ac421c8e0e9a459bf4cbf3c64383

SHA1
beba7791eee19a5d5623498bbd542c30cd8f8e14

SHA256
377e17996a3e454e831db0395957b9b2cd9ba640d1b4ee66015c6719a92e51b3

SHA512
743441ae48ea02ae212e10bb31e8725952fcb1bac8ef0176a884c1a178e0ef66c6485d129e90bca38248de7897e652cd416b78556901d0574fd998d9dd3ff938

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM43B4.exe

Filesize
14KB

MD5
d31ed3bb3909e7aad019e589220a839b

SHA1
35a58181d839c1659ac2495e70884e98f80aa3b1

SHA256
cb144b35559e1c27d645d5ce1372162b46171789695667a60e1eae531eee26b7

SHA512
5e43344cfdf03aa76c445bfe301eedc6b72e3a87b1d29643fc9ad0d70152e4b89aeb692814f331f8701badf8abe8a831ca3bbc0e3e07ff37f8866fa3a9e68683

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9869.exe

Filesize
14KB

MD5
e268888cef37f2de471ae2c66ec82075

SHA1
edc9b804d5bb5ebaecec6af7ad01b0109400055c

SHA256
478123ef2023fcb88337625b3158e6f084a78ad65fcaed1c5b8b55d0419b1711

SHA512
07042ec133511e6d9aba0ef3edcf2af94a6e1176af97f8585e94d10b4452a9538cd9afe14cd64f7587de8894a6a3c9221e898553d5c4c0ce4a8280b92b5b4d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9953.exe

Filesize
14KB

MD5
0aefed22034a1c86ef8c0b763b640ae8

SHA1
5ee6bd01c8f7744fae2631a937a04a26142f1103

SHA256
e281f668576d03581ca041b5bd7c38ebae890289c88272d50f855702c64ea23e

SHA512
bcec35c507a553473df731974b3c528667b80e2e11ea97c11aa1910060891b2d5d63ccdfb644c4c3cb0142da3e36a1a39552966866531f0a86db7ae8780b483b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEEC2.exe

Filesize
14KB

MD5
fec418ea0de0514fafb44cbe3c627c75

SHA1
03808e6572d2fe9185c96a55048a69662e008e3a

SHA256
11837a3ec62588bb76a3fb07b65e9adaa8c9df8cf498411ca706aa47e1c973a4

SHA512
60cdec090b3b0884d2d9bc65d3b198c3acebb1f985fa37dbcc9c602d8e3b831c2d2ecf1d3dcb4a9d0f0e004e39f616f7261468cfc3444f4bbc48e625d37f11d1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEDA9.exe

Filesize
14KB

MD5
3e807163f7cf9ee868279d60164f20e6

SHA1
65dde2dd6af15a0352da9bb7d06d14b3d74902d2

SHA256
27ddb7c294183d4fffa47958bff55e70bdf81741a548be478ece1fec4022ba30

SHA512
1ab582620857413fdf20ece458ed7d09a549c63a6ab3c66ebac1e1a2783a43c371a81e2fbc73cc76cbad505ae71d109e75b24311369fe1a3ff4757aad075c999

Download Submit

Analysis

Sharing