adf80fc1c5840816b44bf27df044752a1fb379dca481f68929edec80b6890ed0

General

Target

08efed39d15b1a9ce312dcc735a22c56.exe
Size

16KB
MD5

08efed39d15b1a9ce312dcc735a22c56
SHA1

56a381fcd2ad1fddbcc02a7734e7f33ffd34b996
SHA256

adf80fc1c5840816b44bf27df044752a1fb379dca481f68929edec80b6890ed0
SHA512

d2fa09af1f5b5ccc84d801b3ac2df815b1054dfbf697cb42e4f9e29c3c78660d6b5f510289deba812203ba601620f5253236beee7cd9638b97f6bdb0623e6c25
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY+YV:hDXWipuE+K3/SSHgxm+4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1196	DEM7AE.exe
2896	DEM5D1E.exe
2088	DEMB27D.exe
1312	DEM7FC.exe
1572	DEM5CDF.exe
1308	DEMB1E1.exe

Loads dropped DLL 6 IoCs

pid	Process
2396	08efed39d15b1a9ce312dcc735a22c56.exe
1196	DEM7AE.exe
2896	DEM5D1E.exe
2088	DEMB27D.exe
1312	DEM7FC.exe
1572	DEM5CDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1196	2396	08efed39d15b1a9ce312dcc735a22c56.exe	29
PID 2396 wrote to memory of 1196	2396	08efed39d15b1a9ce312dcc735a22c56.exe	29
PID 2396 wrote to memory of 1196	2396	08efed39d15b1a9ce312dcc735a22c56.exe	29
PID 2396 wrote to memory of 1196	2396	08efed39d15b1a9ce312dcc735a22c56.exe	29
PID 1196 wrote to memory of 2896	1196	DEM7AE.exe	31
PID 1196 wrote to memory of 2896	1196	DEM7AE.exe	31
PID 1196 wrote to memory of 2896	1196	DEM7AE.exe	31
PID 1196 wrote to memory of 2896	1196	DEM7AE.exe	31
PID 2896 wrote to memory of 2088	2896	DEM5D1E.exe	35
PID 2896 wrote to memory of 2088	2896	DEM5D1E.exe	35
PID 2896 wrote to memory of 2088	2896	DEM5D1E.exe	35
PID 2896 wrote to memory of 2088	2896	DEM5D1E.exe	35
PID 2088 wrote to memory of 1312	2088	DEMB27D.exe	38
PID 2088 wrote to memory of 1312	2088	DEMB27D.exe	38
PID 2088 wrote to memory of 1312	2088	DEMB27D.exe	38
PID 2088 wrote to memory of 1312	2088	DEMB27D.exe	38
PID 1312 wrote to memory of 1572	1312	DEM7FC.exe	40
PID 1312 wrote to memory of 1572	1312	DEM7FC.exe	40
PID 1312 wrote to memory of 1572	1312	DEM7FC.exe	40
PID 1312 wrote to memory of 1572	1312	DEM7FC.exe	40
PID 1572 wrote to memory of 1308	1572	DEM5CDF.exe	42
PID 1572 wrote to memory of 1308	1572	DEM5CDF.exe	42
PID 1572 wrote to memory of 1308	1572	DEM5CDF.exe	42
PID 1572 wrote to memory of 1308	1572	DEM5CDF.exe	42

C:\Users\Admin\AppData\Local\Temp\08efed39d15b1a9ce312dcc735a22c56.exe
"C:\Users\Admin\AppData\Local\Temp\08efed39d15b1a9ce312dcc735a22c56.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\DEM7AE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7AE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\DEM5D1E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D1E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\DEMB27D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB27D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\DEMB1E1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB1E1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe

Filesize
16KB

MD5
9d51fc2f6bed3a07d0ba1b288c22d504

SHA1
b94f13b312886394fb0a9890da1d3aaf7401f66d

SHA256
705bb47e34f409ada0ef1e366f939533586a280b5b19f382ce0d369b46c1ddf5

SHA512
2e2300d6e230afbe9abc0eb7486f0759af5b67c0d212355b993067824d0db4b2f8add75634a9cc349d157aed120cda13662c7cf82cca57bda6a4178433e9ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5D1E.exe

Filesize
16KB

MD5
786f88e7c8915f3ac71760aaa441e8bf

SHA1
788e7ba56f4c883a0505d3bdd97f196304ee48ac

SHA256
a796ae13a842cf90f1ca274ed9a7208192b2ec216129a61edbdaadfaae8e6019

SHA512
9aab82f77b299fc3132c1ccf41fc847eb2d5480f66c69479baa66870ffc736b72e59dfb92d4d95b433208d85830a6650b99dded2a1941f3acf43188641c11d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe

Filesize
16KB

MD5
d61897c476e50ae3135fbfd8bb6ca89b

SHA1
43e08d2b01b4ad62395fbb6a21dd51bc779efd53

SHA256
a6ade69a71d577e3aa3a2e2a3044988558b978f6f2561846e0d7313fc4781b5e

SHA512
afabb429e631b1a8d8029add06eb45fa8f34fbb32df34a2f126e01b56088701f017ed148e638512010c49463ec37df143942849fbcaa6456d923f71da429a8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB1E1.exe

Filesize
16KB

MD5
ff403b4f77b8aa001a98a648cfeab6c5

SHA1
4f1b88da3fd34a0c895eea0bea123c93894a0b9e

SHA256
f5993ce8665c412fddfb8dc435c704eeea4bba2fe5284432b347e9d6e9b88796

SHA512
18193b160958b414c836a91547a36139f9212c070feed8185c31a8530fd830b45d20743880aa5123db081dcabec04864d6a74f0dceba684fbfe58cc802f678f1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7AE.exe

Filesize
16KB

MD5
8c9f0982066cdf5f67f81338eb0c4875

SHA1
522c390750b55475f890e05201278bb7e6fdb536

SHA256
a8031bed14697ba5ae7cc9749115826063da489c2c34509753b31df4f14907b8

SHA512
e821884fdef2400cc1daad97ec7c5384e5c8f2a549c739d338a88f50749609de7613bce6af853b5b1ee7dbb0ebba2cca761072ae4a250987d217fdd89df7520a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB27D.exe

Filesize
16KB

MD5
1650e8c1a273c5777685c3b89ecbdcb2

SHA1
45c755ad80eca3307d8f0de339c3252877eeb7a1

SHA256
a016df983eee392a20b20c8157cc205f938b980374d5efac1e87cc35c945b47f

SHA512
c4bd8617626268499b6896fcfca1c38ee6bc164ba35f7514d54b6477019fbddaae3cfc3882043ae1f282069c523ab6847c2d0deeb20f9c747dd7aa674e82e6b0

Download Submit

Analysis

Sharing