c206c27c19af02e67c8d5adebea5755abcd78ef965354c7a72b41b7c02446203

General

Target

0870232c011e01b83b8f00ad3b632214.exe
Size

14KB
MD5

0870232c011e01b83b8f00ad3b632214
SHA1

305cebd3ead3da6ae09d858821ae42130dd1a6c1
SHA256

c206c27c19af02e67c8d5adebea5755abcd78ef965354c7a72b41b7c02446203
SHA512

9c257b0d162cae7113ce0cd08b6934cac3f651c7746d6d2376818d625be3c027e9e188d1d64e6b7363cd6f2c6076fa72698ca8ce0f83df33f13215b81cdb1a0a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZXdHHud:hDXWipuE+K3/SSHgx3NHH2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2808	DEMACA.exe
2644	DEM6133.exe
2772	DEMB654.exe
1692	DEMBD3.exe
3064	DEM6134.exe
2064	DEMB673.exe

Loads dropped DLL 6 IoCs

pid	Process
2488	0870232c011e01b83b8f00ad3b632214.exe
2808	DEMACA.exe
2644	DEM6133.exe
2772	DEMB654.exe
1692	DEMBD3.exe
3064	DEM6134.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2808	2488	0870232c011e01b83b8f00ad3b632214.exe	29
PID 2488 wrote to memory of 2808	2488	0870232c011e01b83b8f00ad3b632214.exe	29
PID 2488 wrote to memory of 2808	2488	0870232c011e01b83b8f00ad3b632214.exe	29
PID 2488 wrote to memory of 2808	2488	0870232c011e01b83b8f00ad3b632214.exe	29
PID 2808 wrote to memory of 2644	2808	DEMACA.exe	31
PID 2808 wrote to memory of 2644	2808	DEMACA.exe	31
PID 2808 wrote to memory of 2644	2808	DEMACA.exe	31
PID 2808 wrote to memory of 2644	2808	DEMACA.exe	31
PID 2644 wrote to memory of 2772	2644	DEM6133.exe	35
PID 2644 wrote to memory of 2772	2644	DEM6133.exe	35
PID 2644 wrote to memory of 2772	2644	DEM6133.exe	35
PID 2644 wrote to memory of 2772	2644	DEM6133.exe	35
PID 2772 wrote to memory of 1692	2772	DEMB654.exe	38
PID 2772 wrote to memory of 1692	2772	DEMB654.exe	38
PID 2772 wrote to memory of 1692	2772	DEMB654.exe	38
PID 2772 wrote to memory of 1692	2772	DEMB654.exe	38
PID 1692 wrote to memory of 3064	1692	DEMBD3.exe	40
PID 1692 wrote to memory of 3064	1692	DEMBD3.exe	40
PID 1692 wrote to memory of 3064	1692	DEMBD3.exe	40
PID 1692 wrote to memory of 3064	1692	DEMBD3.exe	40
PID 3064 wrote to memory of 2064	3064	DEM6134.exe	41
PID 3064 wrote to memory of 2064	3064	DEM6134.exe	41
PID 3064 wrote to memory of 2064	3064	DEM6134.exe	41
PID 3064 wrote to memory of 2064	3064	DEM6134.exe	41

C:\Users\Admin\AppData\Local\Temp\0870232c011e01b83b8f00ad3b632214.exe
"C:\Users\Admin\AppData\Local\Temp\0870232c011e01b83b8f00ad3b632214.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\DEMACA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMACA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\DEM6133.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6133.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\DEMB654.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB654.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\DEM6134.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6134.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\DEMB673.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB673.exe"
        7⤵
        Executes dropped EXE
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6133.exe

Filesize
14KB

MD5
f3aad624ceabeb8799c942c5ffe35ac0

SHA1
ae30ae65f2b0398fc68c4e2829948df209850fb6

SHA256
7124d2b53d6bd582707eb782b2ff82f50f5099677ef3df780f5885409dc5f828

SHA512
26f3f1a93f6416feed1a03fecf2500b3b40b4abb3730f6710f5369df8f637f6875e117391b5458c7a392c144dcaca2e3841d0dd50f7b5a9b5599b70835a0c92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6134.exe

Filesize
14KB

MD5
0aa11eac4027c8260a45c169a11b316b

SHA1
648496f6423360a1ff7466137b3249ca524045ec

SHA256
8bbda8b39f0573d95a2822fe1645367649019bce04f924f0a28e8c14690b77e3

SHA512
0c8e9103f5c524fb9c9d3aedcdcc5f899585e2e7de03fba75fcb3563f665003d9968445aa1c3e0173f6b8b791aaa9f4c5343fbea529e8be70baf63960a3d991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMACA.exe

Filesize
14KB

MD5
8b29f11ce9e4760737c70b32350b3a64

SHA1
596558d9cb5b8084bfd00eba3e3b46d8fc548732

SHA256
23df47ec0b156271bba90e04fd57446ec187158ccc7f970067a844a76c18dcd5

SHA512
b8be350fec4d7ae5025a35303e77f7bf15b0dcf59179c559c00a56a465bf359c6c3f904065cc0b14b20c2fdda1570129155372f1e837d6f2af1748a5359d4ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBD3.exe

Filesize
14KB

MD5
a06fbe414c75d5284336094b41787009

SHA1
19dd91f635b4beb84e7f0d80ec2f632e7fd700ef

SHA256
6de8c9a74bc7c5b898aeca5acc6aa856fa050fd927954f21fac8ef251d48c1c3

SHA512
c3c81d4f59e65b673d2a83a6d40387c8ec33bb64665d277d1bd43e54fb132c34664288c764bee9026bab076af1bf1fa350bcc4309c1d05ded5ec5d9f5af5d0ef

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB654.exe

Filesize
14KB

MD5
e0b6e89bd3d7f3e29bbe9ac8426b3059

SHA1
737d7b209c63f20f2da288049a148a82b638f07d

SHA256
e14f4ed3212a3e47a127e0f8823a72e53019cfdd46ec776bea1bb3fd592d1dd8

SHA512
e8da748fb661dbddd80e81bff83ab8bec3331b7da0dbff8d187a6a7f23d677147c2437fb43a73b918d6625039f8a4ba25ce20b3b1287407f783d56e9a3cbdb5f

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB673.exe

Filesize
14KB

MD5
04a0b358e14ec84a0f0a3fd3af0d9fc9

SHA1
6e120767cc8956a3e425b6835db9d804825adde9

SHA256
cd28bca7f3cab8ff187d57f3f7b99a2f5c0c8851e5004c421334509bfe792159

SHA512
d73f55b6a417740ad115e99ea2cdad3da47507bcd33bfc038aef63302d01fa7a300a3723b5f96bf42153998fa4327d3a1f960cb43884ff29f970801f1aa8ab9c

Download Submit

Analysis

Sharing