Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/12/2023, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
07c9b6a53e1cc7566c675ff938b96608.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
07c9b6a53e1cc7566c675ff938b96608.exe
Resource
win10v2004-20231215-en
General
-
Target
07c9b6a53e1cc7566c675ff938b96608.exe
-
Size
16KB
-
MD5
07c9b6a53e1cc7566c675ff938b96608
-
SHA1
3c732370a1fdecd50de4158fe60dd66b0b54a65b
-
SHA256
8503a815750e8c472a91702cc973cd8738770907f2550e9f8c93864f1ea17d63
-
SHA512
e9839f415e5ee5002d0317be9e2f1e923031b48373aad92692e0d6e295fb920620515c41bb59f14f0ad4d3839ff0b6db3fd85768098c82c32577bfc5482ceb22
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxmvC:hDXWipuE+K3/SSHgxmH+C
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2684 DEM9702.exe 2576 DEMEE26.exe 1320 DEM44FC.exe 1964 DEM9C5F.exe 2512 DEMF354.exe 2348 DEM4A1A.exe -
Loads dropped DLL 6 IoCs
pid Process 2640 07c9b6a53e1cc7566c675ff938b96608.exe 2684 DEM9702.exe 2576 DEMEE26.exe 1320 DEM44FC.exe 1964 DEM9C5F.exe 2512 DEMF354.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2684 2640 07c9b6a53e1cc7566c675ff938b96608.exe 31 PID 2640 wrote to memory of 2684 2640 07c9b6a53e1cc7566c675ff938b96608.exe 31 PID 2640 wrote to memory of 2684 2640 07c9b6a53e1cc7566c675ff938b96608.exe 31 PID 2640 wrote to memory of 2684 2640 07c9b6a53e1cc7566c675ff938b96608.exe 31 PID 2684 wrote to memory of 2576 2684 DEM9702.exe 33 PID 2684 wrote to memory of 2576 2684 DEM9702.exe 33 PID 2684 wrote to memory of 2576 2684 DEM9702.exe 33 PID 2684 wrote to memory of 2576 2684 DEM9702.exe 33 PID 2576 wrote to memory of 1320 2576 DEMEE26.exe 35 PID 2576 wrote to memory of 1320 2576 DEMEE26.exe 35 PID 2576 wrote to memory of 1320 2576 DEMEE26.exe 35 PID 2576 wrote to memory of 1320 2576 DEMEE26.exe 35 PID 1320 wrote to memory of 1964 1320 DEM44FC.exe 37 PID 1320 wrote to memory of 1964 1320 DEM44FC.exe 37 PID 1320 wrote to memory of 1964 1320 DEM44FC.exe 37 PID 1320 wrote to memory of 1964 1320 DEM44FC.exe 37 PID 1964 wrote to memory of 2512 1964 DEM9C5F.exe 40 PID 1964 wrote to memory of 2512 1964 DEM9C5F.exe 40 PID 1964 wrote to memory of 2512 1964 DEM9C5F.exe 40 PID 1964 wrote to memory of 2512 1964 DEM9C5F.exe 40 PID 2512 wrote to memory of 2348 2512 DEMF354.exe 41 PID 2512 wrote to memory of 2348 2512 DEMF354.exe 41 PID 2512 wrote to memory of 2348 2512 DEMF354.exe 41 PID 2512 wrote to memory of 2348 2512 DEMF354.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c9b6a53e1cc7566c675ff938b96608.exe"C:\Users\Admin\AppData\Local\Temp\07c9b6a53e1cc7566c675ff938b96608.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\DEM9702.exe"C:\Users\Admin\AppData\Local\Temp\DEM9702.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\DEMEE26.exe"C:\Users\Admin\AppData\Local\Temp\DEMEE26.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe"C:\Users\Admin\AppData\Local\Temp\DEM44FC.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe"C:\Users\Admin\AppData\Local\Temp\DEM9C5F.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\DEMF354.exe"C:\Users\Admin\AppData\Local\Temp\DEMF354.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\DEM4A1A.exe"C:\Users\Admin\AppData\Local\Temp\DEM4A1A.exe"7⤵
- Executes dropped EXE
PID:2348
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD537bdaee498e23de6bddb30cbb77b5920
SHA188d4eb7da4c3dfdeae05c055f53fa838bb6c3c9d
SHA256ee930b01524e5258d1df515b5380169690ee9bb739d7b70c27c8384be3297a92
SHA512c808973e92b39a0869a6225ec6d504086fbb56bef254ea9f655d1aaec3939f38c3921ef6a79e35c9a30f41ea8e50ebc28f6e11356b89fa454af195573cdd00cf
-
Filesize
16KB
MD578a6c86acf51eb7f56bfce4100643bf0
SHA1e80422e6c6b9d1b0cc4aa4c5e2b9db4391c0dc74
SHA2567f247810760863df610b1f1524cfdb60bdc28af1ca77c04ccd77e5195b7fdd45
SHA51253d26a08cfa0266fa1b616e8a04a5edf60278ba22de0e4a36665136350665d6d3e802130ceeb44f0eceefe4e78fc707583d7d3a76e941d452b5ed0baf873841f
-
Filesize
16KB
MD5f4562a9c17685b62d16fe030d027d0c5
SHA18c9f1c50334c9f934e98c7cf83381c724e3f6d11
SHA25682b1b77ba211043f1671544ebd59bc3e610d16b46af53ee1d726256900b191f7
SHA5125758b8ccb7a6f6e1735bf8744efd77b0fcfe70b83ff47528f13212fffc50d2de21be2e25488a14901d022c42ef60917c40e55db53f378df9f4063963e7ff59b0
-
Filesize
16KB
MD56cdbee6e848b2a5b05d5d41e4904a902
SHA12b5cc8179313cc51156ff422a9c75450978a6efb
SHA2561e052454ec327bf0010a25351e9238ebe64ac810fa2194cc3ab2fbf18b40c69a
SHA512adeaab5a76e673dea90e3d9417d1e36f313cdd58e83e851aa6c037b94306f2872bc141d1a8b1691d01b8831a59a56f88256993ee8857f4dfb2272b5b949ada43
-
Filesize
16KB
MD58696262880afe9ce516819ddfbcd6e0c
SHA187d603439d8d096255873d28daa89952050b251c
SHA25644fe18d245891f422544ddc5e311f6736d9083f992e480a8985cb69beb583cdc
SHA512c63dca5381852570d5f60ae362dd5e031f8b07547e8d3202db91817589296fbbc9cddf0a3f85e4d7c955b676b3cb669102db9c6e620596c65af97b380514ec77
-
Filesize
16KB
MD51f756b8c1ac1963b45b71b5113213356
SHA11fefafaa27b552d53fe30ce4554ae5229fe76af2
SHA25677fb0dfa831430dcef204b5ca5a95289dd218cd752af41a673ba988ee37753cb
SHA512ff534ba0171ae7000c9f1953d1b6027a9a784ce4d50ee839b184b1e099c4e04de9e1b01663ddeacff1085cb8fbe57443ccc4edbc4afa67e047a604b8a190d3ed