fcdf2f92179382dbbe8d02f28f8dc520b08e3a299fcc5f65d62bc5f20ba53dca

General

Target

06a2b39ea16acd98c0ef84e4f2531ef6.exe
Size

15KB
MD5

06a2b39ea16acd98c0ef84e4f2531ef6
SHA1

c30fe36d72a70ef0996497519d34fc907ed5d544
SHA256

fcdf2f92179382dbbe8d02f28f8dc520b08e3a299fcc5f65d62bc5f20ba53dca
SHA512

800692e9a655a53973a2995de383d5afb2e4e5fe9e5d269f2106f6e61a77fae2f42d0da25e1e11525ea1d80ccb473a4696fd9235e5b8204522720128d080e4e4
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4u:hDXWipuE+K3/SSHgxmL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2356	DEM3514.exe
2580	DEM8B4F.exe
2976	DEME1B8.exe
1864	DEM3801.exe
268	DEM8E5B.exe
2164	DEME466.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	06a2b39ea16acd98c0ef84e4f2531ef6.exe
2356	DEM3514.exe
2580	DEM8B4F.exe
2976	DEME1B8.exe
1864	DEM3801.exe
268	DEM8E5B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2356	2204	06a2b39ea16acd98c0ef84e4f2531ef6.exe	29
PID 2204 wrote to memory of 2356	2204	06a2b39ea16acd98c0ef84e4f2531ef6.exe	29
PID 2204 wrote to memory of 2356	2204	06a2b39ea16acd98c0ef84e4f2531ef6.exe	29
PID 2204 wrote to memory of 2356	2204	06a2b39ea16acd98c0ef84e4f2531ef6.exe	29
PID 2356 wrote to memory of 2580	2356	DEM3514.exe	33
PID 2356 wrote to memory of 2580	2356	DEM3514.exe	33
PID 2356 wrote to memory of 2580	2356	DEM3514.exe	33
PID 2356 wrote to memory of 2580	2356	DEM3514.exe	33
PID 2580 wrote to memory of 2976	2580	DEM8B4F.exe	35
PID 2580 wrote to memory of 2976	2580	DEM8B4F.exe	35
PID 2580 wrote to memory of 2976	2580	DEM8B4F.exe	35
PID 2580 wrote to memory of 2976	2580	DEM8B4F.exe	35
PID 2976 wrote to memory of 1864	2976	DEME1B8.exe	37
PID 2976 wrote to memory of 1864	2976	DEME1B8.exe	37
PID 2976 wrote to memory of 1864	2976	DEME1B8.exe	37
PID 2976 wrote to memory of 1864	2976	DEME1B8.exe	37
PID 1864 wrote to memory of 268	1864	DEM3801.exe	39
PID 1864 wrote to memory of 268	1864	DEM3801.exe	39
PID 1864 wrote to memory of 268	1864	DEM3801.exe	39
PID 1864 wrote to memory of 268	1864	DEM3801.exe	39
PID 268 wrote to memory of 2164	268	DEM8E5B.exe	41
PID 268 wrote to memory of 2164	268	DEM8E5B.exe	41
PID 268 wrote to memory of 2164	268	DEM8E5B.exe	41
PID 268 wrote to memory of 2164	268	DEM8E5B.exe	41

C:\Users\Admin\AppData\Local\Temp\06a2b39ea16acd98c0ef84e4f2531ef6.exe
"C:\Users\Admin\AppData\Local\Temp\06a2b39ea16acd98c0ef84e4f2531ef6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\DEM3514.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3514.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\DEM8B4F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B4F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\DEME1B8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME1B8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\DEM3801.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3801.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\DEM8E5B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E5B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\DEME466.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME466.exe"
        7⤵
        Executes dropped EXE
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8B4F.exe

Filesize
15KB

MD5
4c1a4cd41df76ed6d638f3cbdc6b42d9

SHA1
29ce15e63e96f2baae5ed28fc78ba8f598ccff56

SHA256
4c58f7958472ea18f3b7a236cd4fb99562fb22d8b6ba2d78b52975892d91a947

SHA512
4d8efa8bfa932bc28645d43f5e78da265b9df66f48c71277bfac44dfb036216290d9775902ae8f60b164e8512b29aefc282553847eb49ef60b8dbc8bc4127b7a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3514.exe

Filesize
15KB

MD5
595fe53e8a9de5bfd6c2048336a2d265

SHA1
4c4c7341025df0fa04ffa59fb573b8c20eae623e

SHA256
1b49fdcb7fdd5ef569026c5518fdfecfc935e31bb02225414c50e892d6a0f011

SHA512
49135b22b8b3406957d470ed966ead62fe37338cc56b3996582ab1db80055d7dca174d15f0d0ce3f15d798637a9fff08f8b314830bb8bb59cbda6384ebdea229

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3801.exe

Filesize
15KB

MD5
6fa59a6aec7f75b1205993f2e4ba9019

SHA1
06cc1d3d2386248edc642d9213781d5e3de46d2e

SHA256
567156dbbb20e3872dce44aabe206cb2e160beaaf98a228bd36f993008b6f238

SHA512
ad9ef530cecd0a8f38efad6f2ea3fcb32891e4c644f6be38e5d85a8b39bdc704e28ddc2cbc0b6a2f766241bfb37f247af0c32050b4b3627db878eb68f2eb53f3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E5B.exe

Filesize
15KB

MD5
376a3c4a61b12060b384ca3f8fa84256

SHA1
945c9db26bfea1b4d1e0f7a9147ffbd558c14ad4

SHA256
17c64752f71655487bb1571a595d37ec2466d00c97cc4e0adfbe734c78048b3a

SHA512
c23b63413292fa5d33d9ac998caa1ac162211c7db9701bc9d356e35977cc6e996875acc64bd02356423d49b16e8c09af47c3d0d1fb3ef3de64ae2be42802ae7b

Download Submit
\Users\Admin\AppData\Local\Temp\DEME1B8.exe

Filesize
15KB

MD5
02d5f8f4dce0b9e36d3d104af466a4d4

SHA1
6175f76298691dacaaaf57ec76928120f600659e

SHA256
d4147a03f3b678c23309a620cd325291be1e6327340318cffc3ab2b176c97718

SHA512
f11d0ee1ad41b9337a8ac4e9d0a0b2d4c418fe7495d975aad8dc908ae5cbcab86ade8ccde3fa6453b90c10622017194800b5e66ddcdffbee39e56cb828e4a25d

Download Submit
\Users\Admin\AppData\Local\Temp\DEME466.exe

Filesize
15KB

MD5
704390b48059861c683c36a9b3859248

SHA1
37e71fe530dfb996d63c89482e37bc26663844c8

SHA256
e8910644607f583221f1aea647f194ce15d0d8feaabb9a8206bc1cf70f5bddb3

SHA512
c67f5e531edce5c0615fe7d83e7d944553090883603325a65849fe6ca6da365154965c780583f474a6fd094e4088234bc5d38e3efdd364fd09062eca138ee462

Download Submit

Analysis

Sharing