08be6b9bc700027968e80f46929394eac28b3e21afe2d9c86e1505600c97cac9

General

Target

08d2fcb56838727496e9925113567c7b.exe
Size

14KB
MD5

08d2fcb56838727496e9925113567c7b
SHA1

5a95ea74597ae7d314321390111040f410d83bee
SHA256

08be6b9bc700027968e80f46929394eac28b3e21afe2d9c86e1505600c97cac9
SHA512

5b1a853b5e57e8a13ba9eb7dbaecb492fed1683dfb6d7905533afe29081dea3f313cc6676b6f2d38a6723676da9208e525694f8a0181c4c0b403fbb4fc4f3fee
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhZeeIe:hDXWipuE+K3/SSHgx3eU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2288	DEME24.exe
2664	DEM6374.exe
2936	DEMB8C4.exe
356	DEME43.exe
1992	DEM63A3.exe
2608	DEMB98F.exe

Loads dropped DLL 6 IoCs

pid	Process
2584	08d2fcb56838727496e9925113567c7b.exe
2288	DEME24.exe
2664	DEM6374.exe
2936	DEMB8C4.exe
356	DEME43.exe
1992	DEM63A3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2288	2584	08d2fcb56838727496e9925113567c7b.exe	29
PID 2584 wrote to memory of 2288	2584	08d2fcb56838727496e9925113567c7b.exe	29
PID 2584 wrote to memory of 2288	2584	08d2fcb56838727496e9925113567c7b.exe	29
PID 2584 wrote to memory of 2288	2584	08d2fcb56838727496e9925113567c7b.exe	29
PID 2288 wrote to memory of 2664	2288	DEME24.exe	31
PID 2288 wrote to memory of 2664	2288	DEME24.exe	31
PID 2288 wrote to memory of 2664	2288	DEME24.exe	31
PID 2288 wrote to memory of 2664	2288	DEME24.exe	31
PID 2664 wrote to memory of 2936	2664	DEM6374.exe	35
PID 2664 wrote to memory of 2936	2664	DEM6374.exe	35
PID 2664 wrote to memory of 2936	2664	DEM6374.exe	35
PID 2664 wrote to memory of 2936	2664	DEM6374.exe	35
PID 2936 wrote to memory of 356	2936	DEMB8C4.exe	37
PID 2936 wrote to memory of 356	2936	DEMB8C4.exe	37
PID 2936 wrote to memory of 356	2936	DEMB8C4.exe	37
PID 2936 wrote to memory of 356	2936	DEMB8C4.exe	37
PID 356 wrote to memory of 1992	356	DEME43.exe	39
PID 356 wrote to memory of 1992	356	DEME43.exe	39
PID 356 wrote to memory of 1992	356	DEME43.exe	39
PID 356 wrote to memory of 1992	356	DEME43.exe	39
PID 1992 wrote to memory of 2608	1992	DEM63A3.exe	41
PID 1992 wrote to memory of 2608	1992	DEM63A3.exe	41
PID 1992 wrote to memory of 2608	1992	DEM63A3.exe	41
PID 1992 wrote to memory of 2608	1992	DEM63A3.exe	41

C:\Users\Admin\AppData\Local\Temp\08d2fcb56838727496e9925113567c7b.exe
"C:\Users\Admin\AppData\Local\Temp\08d2fcb56838727496e9925113567c7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\DEME24.exe
  "C:\Users\Admin\AppData\Local\Temp\DEME24.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\DEM6374.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6374.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\DEMB8C4.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB8C4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\DEME43.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME43.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:356
      - C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM63A3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\DEMB98F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB98F.exe"
        7⤵
        Executes dropped EXE
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6374.exe

Filesize
14KB

MD5
1f353f85c0218e1f0959335844b6da1d

SHA1
55dbc5147b91ba5994546d0f62fa2e7d19c3a07e

SHA256
82b3a93a370ea44155d8af97ed5e15e5238af22167344a364b26280055c54216

SHA512
5861c3aba6237ffa8f531bc07a4d30c09cfef34dd423a90a457936540b522b460a6a5c75794b4c31c9a68d7cd635aec25af2fd13b0dabb1330b84b1f029d3fcc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM63A3.exe

Filesize
14KB

MD5
f46a8b2816ff4c1553fa09dbbccee4ad

SHA1
75496f60c5327bd251ac07f7d3d1d851d756ad43

SHA256
6ad17348f353c3a09458c97a30c7c96070f278b91a9b1412b5fb77f9a06bd454

SHA512
d8e45ea96829ebdc42b7bbc28b34231a465592d78eb5349fd604b84f34f90fa6a7bd4114df1ebb29db3ba92994f78b26f3513a1d05c8ff3e4867e51b755993e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB8C4.exe

Filesize
14KB

MD5
280d0793a668f0d635e901f04eb5864b

SHA1
e005c78edd6bed6f64c3f55af77d33613cd6204e

SHA256
ccd780b91119c6b64383ff862e461711cf51f0ed56695b6bcb12a7a2c5c69a24

SHA512
c88171fb92b1a85c08127a43b26938349d53589d33a5053d5c5ccacda787e415ecf983366aeba4f3a498b83dc23dc6831779b73e3d07bcdb3243b3b95d8b0dc6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB98F.exe

Filesize
14KB

MD5
be792d97b17e386435b76eb76be9cc7b

SHA1
f9c70179276f68834864b9da60749c2cc1aa0268

SHA256
23d23bf10c3e2b4e112f5959665ec239d3cb40971304711901851668d935a8d9

SHA512
e0dbfef785eaf5ebb7d6d0287ed93e20311f0b2ddc5ac4efba57e323f62aadab9bdf3324ce673d30bdb271a666d9a43157ba71014d842983744f27fccc025876

Download Submit
\Users\Admin\AppData\Local\Temp\DEME24.exe

Filesize
14KB

MD5
311b1087301b1b0f15309f810e1e9033

SHA1
e1fd61be157fe2518f5790f6e9eaef50623a3a84

SHA256
9969ab505a49c0765a9bbf75c380b88a1513574797953c6272c7141dd8a91a17

SHA512
226af60498970b7fd85aadaaf6a2d47eca50b8013b1f404348324c0dd9c5292d91f1b2913371d11bc5c2b89f3863656bd7a427038fe1c88861651850fe6a5bf8

Download Submit
\Users\Admin\AppData\Local\Temp\DEME43.exe

Filesize
14KB

MD5
2d9fa660fa61387af0cf6b59ddc76792

SHA1
43f0ded169b7d0a5a6eb2cba0a46cc9c3639ba7c

SHA256
b0c1dd58c69434d2780e0d043fc73c84172ecf35d5f8ed72a77e480ee0d26612

SHA512
ed87a278dee23a4e925bb4ca26b1e42d914b1b6307405ff8f0e029e2cf0d01366a351b287b337ea4517ff735612804f46b997992982018410c0068f29eb36fbc

Download Submit

Analysis

Sharing