8503a815750e8c472a91702cc973cd8738770907f2550e9f8c93864f1ea17d63

General

Target

07c9b6a53e1cc7566c675ff938b96608.exe
Size

16KB
MD5

07c9b6a53e1cc7566c675ff938b96608
SHA1

3c732370a1fdecd50de4158fe60dd66b0b54a65b
SHA256

8503a815750e8c472a91702cc973cd8738770907f2550e9f8c93864f1ea17d63
SHA512

e9839f415e5ee5002d0317be9e2f1e923031b48373aad92692e0d6e295fb920620515c41bb59f14f0ad4d3839ff0b6db3fd85768098c82c32577bfc5482ceb22
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxmvC:hDXWipuE+K3/SSHgxmH+C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2684	DEM9702.exe
2576	DEMEE26.exe
1320	DEM44FC.exe
1964	DEM9C5F.exe
2512	DEMF354.exe
2348	DEM4A1A.exe

Loads dropped DLL 6 IoCs

pid	Process
2640	07c9b6a53e1cc7566c675ff938b96608.exe
2684	DEM9702.exe
2576	DEMEE26.exe
1320	DEM44FC.exe
1964	DEM9C5F.exe
2512	DEMF354.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2684	2640	07c9b6a53e1cc7566c675ff938b96608.exe	31
PID 2640 wrote to memory of 2684	2640	07c9b6a53e1cc7566c675ff938b96608.exe	31
PID 2640 wrote to memory of 2684	2640	07c9b6a53e1cc7566c675ff938b96608.exe	31
PID 2640 wrote to memory of 2684	2640	07c9b6a53e1cc7566c675ff938b96608.exe	31
PID 2684 wrote to memory of 2576	2684	DEM9702.exe	33
PID 2684 wrote to memory of 2576	2684	DEM9702.exe	33
PID 2684 wrote to memory of 2576	2684	DEM9702.exe	33
PID 2684 wrote to memory of 2576	2684	DEM9702.exe	33
PID 2576 wrote to memory of 1320	2576	DEMEE26.exe	35
PID 2576 wrote to memory of 1320	2576	DEMEE26.exe	35
PID 2576 wrote to memory of 1320	2576	DEMEE26.exe	35
PID 2576 wrote to memory of 1320	2576	DEMEE26.exe	35
PID 1320 wrote to memory of 1964	1320	DEM44FC.exe	37
PID 1320 wrote to memory of 1964	1320	DEM44FC.exe	37
PID 1320 wrote to memory of 1964	1320	DEM44FC.exe	37
PID 1320 wrote to memory of 1964	1320	DEM44FC.exe	37
PID 1964 wrote to memory of 2512	1964	DEM9C5F.exe	40
PID 1964 wrote to memory of 2512	1964	DEM9C5F.exe	40
PID 1964 wrote to memory of 2512	1964	DEM9C5F.exe	40
PID 1964 wrote to memory of 2512	1964	DEM9C5F.exe	40
PID 2512 wrote to memory of 2348	2512	DEMF354.exe	41
PID 2512 wrote to memory of 2348	2512	DEMF354.exe	41
PID 2512 wrote to memory of 2348	2512	DEMF354.exe	41
PID 2512 wrote to memory of 2348	2512	DEMF354.exe	41

C:\Users\Admin\AppData\Local\Temp\07c9b6a53e1cc7566c675ff938b96608.exe
"C:\Users\Admin\AppData\Local\Temp\07c9b6a53e1cc7566c675ff938b96608.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\DEM9702.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9702.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\DEMEE26.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMEE26.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\DEMF354.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF354.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\DEM4A1A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4A1A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMEE26.exe

Filesize
16KB

MD5
37bdaee498e23de6bddb30cbb77b5920

SHA1
88d4eb7da4c3dfdeae05c055f53fa838bb6c3c9d

SHA256
ee930b01524e5258d1df515b5380169690ee9bb739d7b70c27c8384be3297a92

SHA512
c808973e92b39a0869a6225ec6d504086fbb56bef254ea9f655d1aaec3939f38c3921ef6a79e35c9a30f41ea8e50ebc28f6e11356b89fa454af195573cdd00cf

Download Submit
\Users\Admin\AppData\Local\Temp\DEM44FC.exe

Filesize
16KB

MD5
78a6c86acf51eb7f56bfce4100643bf0

SHA1
e80422e6c6b9d1b0cc4aa4c5e2b9db4391c0dc74

SHA256
7f247810760863df610b1f1524cfdb60bdc28af1ca77c04ccd77e5195b7fdd45

SHA512
53d26a08cfa0266fa1b616e8a04a5edf60278ba22de0e4a36665136350665d6d3e802130ceeb44f0eceefe4e78fc707583d7d3a76e941d452b5ed0baf873841f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4A1A.exe

Filesize
16KB

MD5
f4562a9c17685b62d16fe030d027d0c5

SHA1
8c9f1c50334c9f934e98c7cf83381c724e3f6d11

SHA256
82b1b77ba211043f1671544ebd59bc3e610d16b46af53ee1d726256900b191f7

SHA512
5758b8ccb7a6f6e1735bf8744efd77b0fcfe70b83ff47528f13212fffc50d2de21be2e25488a14901d022c42ef60917c40e55db53f378df9f4063963e7ff59b0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9702.exe

Filesize
16KB

MD5
6cdbee6e848b2a5b05d5d41e4904a902

SHA1
2b5cc8179313cc51156ff422a9c75450978a6efb

SHA256
1e052454ec327bf0010a25351e9238ebe64ac810fa2194cc3ab2fbf18b40c69a

SHA512
adeaab5a76e673dea90e3d9417d1e36f313cdd58e83e851aa6c037b94306f2872bc141d1a8b1691d01b8831a59a56f88256993ee8857f4dfb2272b5b949ada43

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9C5F.exe

Filesize
16KB

MD5
8696262880afe9ce516819ddfbcd6e0c

SHA1
87d603439d8d096255873d28daa89952050b251c

SHA256
44fe18d245891f422544ddc5e311f6736d9083f992e480a8985cb69beb583cdc

SHA512
c63dca5381852570d5f60ae362dd5e031f8b07547e8d3202db91817589296fbbc9cddf0a3f85e4d7c955b676b3cb669102db9c6e620596c65af97b380514ec77

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF354.exe

Filesize
16KB

MD5
1f756b8c1ac1963b45b71b5113213356

SHA1
1fefafaa27b552d53fe30ce4554ae5229fe76af2

SHA256
77fb0dfa831430dcef204b5ca5a95289dd218cd752af41a673ba988ee37753cb

SHA512
ff534ba0171ae7000c9f1953d1b6027a9a784ce4d50ee839b184b1e099c4e04de9e1b01663ddeacff1085cb8fbe57443ccc4edbc4afa67e047a604b8a190d3ed

Download Submit

Analysis

Sharing