5fd261ece267cc0a49414067714d01a72e151c7275396eb7c1eb2913c63eecba

General

Target

09b5855b4aa4879a05d027bb7cfba46e.exe
Size

14KB
MD5

09b5855b4aa4879a05d027bb7cfba46e
SHA1

3f873d16dcebaab8b9f183dfe06d0b1a9214c0c7
SHA256

5fd261ece267cc0a49414067714d01a72e151c7275396eb7c1eb2913c63eecba
SHA512

9298af07c5cd2e073e3eb98050a2b668e740348d3514c23e80e9bcd2f2572d477fe3ec6400d784291b171c47e866728ea58bc09eea764ee1f561441c8c01de24
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnz:hDXWipuE+K3/SSHgx/z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2744	DEM7677.exe
2404	DEMCCF0.exe
1492	DEM23A7.exe
2156	DEM7993.exe
1460	DEMCF41.exe
1648	DEM25D8.exe

Loads dropped DLL 6 IoCs

pid	Process
2932	09b5855b4aa4879a05d027bb7cfba46e.exe
2744	DEM7677.exe
2404	DEMCCF0.exe
1492	DEM23A7.exe
2156	DEM7993.exe
1460	DEMCF41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2744	2932	09b5855b4aa4879a05d027bb7cfba46e.exe	29
PID 2932 wrote to memory of 2744	2932	09b5855b4aa4879a05d027bb7cfba46e.exe	29
PID 2932 wrote to memory of 2744	2932	09b5855b4aa4879a05d027bb7cfba46e.exe	29
PID 2932 wrote to memory of 2744	2932	09b5855b4aa4879a05d027bb7cfba46e.exe	29
PID 2744 wrote to memory of 2404	2744	DEM7677.exe	33
PID 2744 wrote to memory of 2404	2744	DEM7677.exe	33
PID 2744 wrote to memory of 2404	2744	DEM7677.exe	33
PID 2744 wrote to memory of 2404	2744	DEM7677.exe	33
PID 2404 wrote to memory of 1492	2404	DEMCCF0.exe	35
PID 2404 wrote to memory of 1492	2404	DEMCCF0.exe	35
PID 2404 wrote to memory of 1492	2404	DEMCCF0.exe	35
PID 2404 wrote to memory of 1492	2404	DEMCCF0.exe	35
PID 1492 wrote to memory of 2156	1492	DEM23A7.exe	37
PID 1492 wrote to memory of 2156	1492	DEM23A7.exe	37
PID 1492 wrote to memory of 2156	1492	DEM23A7.exe	37
PID 1492 wrote to memory of 2156	1492	DEM23A7.exe	37
PID 2156 wrote to memory of 1460	2156	DEM7993.exe	39
PID 2156 wrote to memory of 1460	2156	DEM7993.exe	39
PID 2156 wrote to memory of 1460	2156	DEM7993.exe	39
PID 2156 wrote to memory of 1460	2156	DEM7993.exe	39
PID 1460 wrote to memory of 1648	1460	DEMCF41.exe	41
PID 1460 wrote to memory of 1648	1460	DEMCF41.exe	41
PID 1460 wrote to memory of 1648	1460	DEMCF41.exe	41
PID 1460 wrote to memory of 1648	1460	DEMCF41.exe	41

C:\Users\Admin\AppData\Local\Temp\09b5855b4aa4879a05d027bb7cfba46e.exe
"C:\Users\Admin\AppData\Local\Temp\09b5855b4aa4879a05d027bb7cfba46e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\DEM7677.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7677.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM23A7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\DEM7993.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7993.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\DEMCF41.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCF41.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\DEM25D8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM25D8.exe"
        7⤵
        Executes dropped EXE
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7677.exe

Filesize
14KB

MD5
31006d9dc0832b66af0f63343629bc5d

SHA1
64ab7849646937580edc5a78c290b4ac3d29f087

SHA256
cba51d50aa9eca448f7357db60e08ede52207520393d0821cd6bc125c05d694f

SHA512
39a9210bb9b2ab50f3c19ac1e3f326efddf596217af41cc964b23a9c69ca8728f12818d31c471b2c4f1f1433e3bae6bdc42bf80fea42ce13db12bd33519aa8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM7993.exe

Filesize
14KB

MD5
7bc6773c7ccf2cd831269c8881a67c06

SHA1
d65bd249abfe9a59c94f3dd99f223e8d709886f3

SHA256
b59adf55f7745ebcd057814e8f3691799f646144629092633c695e2b25ccadb4

SHA512
de30c596b69c4c0492adc5b6d3be9e83249b9701374f7ab2277b2edc00bd526ff54a7582e545c0cb35b586e6da2fa4fbfc25f58e407450d348566c172bf2531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMCCF0.exe

Filesize
14KB

MD5
d6279b54d72ce73eabc1347c175595ec

SHA1
99bb6d422f0023472c59a5416824de03b8e93411

SHA256
f75a64abacda2dc8ab6f68162e66e99baee2f13f6287cfe1a925028f6ecc5ab1

SHA512
97b414471a39b7c5b3eae2f60fdac5dc33b51d17f959ab33d762c0cd4576d4fd970b7fc018ed2171f4787f4ba6e6752343e2158d82ce0814a3149229135051a1

Download Submit
\Users\Admin\AppData\Local\Temp\DEM23A7.exe

Filesize
14KB

MD5
d48c2cf563634528efce8b93a157768b

SHA1
6bb15fc09e12f697d0ce9de2fbe6a77552c6c91d

SHA256
d2bd20fb296cdd4580b26a80a0015d81ed4e31415c5b03ab02cbdd213ccfc200

SHA512
9248737c9865a02d6542a5bfdd77026cecf3a84de1a2c633b3cd73f92de4fa0a7533942dd5a5a7bc7f7133203073b9f44f42f2959ffb4ac373b04af9ad19ff22

Download Submit
\Users\Admin\AppData\Local\Temp\DEM25D8.exe

Filesize
14KB

MD5
8d24f0416945e45fd31d621ae547429b

SHA1
75d51fcff1b170a24cace80919ff682758e70a55

SHA256
079f94072a15db2284e33aec2e0182f2df84654b01ddde9ff184643dfa43ac1f

SHA512
24df2bd57336ef3a0f0bc857add9ab67dc459aff9999ef7b548112fb2648923470e7f5bf582425df9c780458b83a89cd8021d292dc89ed1a8f68af10142db735

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCF41.exe

Filesize
14KB

MD5
fceba7f3b88e2c5c9fad77dcbb694218

SHA1
e5bf736bd66342be462d74ff09a8616c4bc5bed9

SHA256
c112e390bd6d93d1bfc61801090fc49c249b248a2eca553da1dccc1d1e1a74bb

SHA512
ce8bf39e38b44571654f1d99980942af58f86f4aed4abc6f24212830c8e8eaaf0091b639dd6bf811f228723894a2d4b50270b6f0f901015b768b8bed3867e3c0

Download Submit

Analysis

Sharing