810188dda8abcf8fc7a4b7986fcfdfd85be1b485d38d8ccac4a968fa25e8d868

General

Target

09fbb3f310ff4fad6d3f3e08edb658b7.exe
Size

14KB
MD5

09fbb3f310ff4fad6d3f3e08edb658b7
SHA1

0b95519f016d0e0cbf1e6958776c001e616efaa5
SHA256

810188dda8abcf8fc7a4b7986fcfdfd85be1b485d38d8ccac4a968fa25e8d868
SHA512

4012b961e8d50392c5b3355c63f5bc3189919ddf763b0e534f650ae8f67d0cfa979108dcf4deadd98b5359787502170a05fd2f44388381506feb0d0460d88720
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0x:hDXWipuE+K3/SSHgx4x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2912	DEM4A0B.exe
3064	DEMA055.exe
2668	DEMF602.exe
2236	DEM4B91.exe
2252	DEMA12F.exe
2056	DEMF6FC.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	09fbb3f310ff4fad6d3f3e08edb658b7.exe
2912	DEM4A0B.exe
3064	DEMA055.exe
2668	DEMF602.exe
2236	DEM4B91.exe
2252	DEMA12F.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2912	2332	09fbb3f310ff4fad6d3f3e08edb658b7.exe	29
PID 2332 wrote to memory of 2912	2332	09fbb3f310ff4fad6d3f3e08edb658b7.exe	29
PID 2332 wrote to memory of 2912	2332	09fbb3f310ff4fad6d3f3e08edb658b7.exe	29
PID 2332 wrote to memory of 2912	2332	09fbb3f310ff4fad6d3f3e08edb658b7.exe	29
PID 2912 wrote to memory of 3064	2912	DEM4A0B.exe	34
PID 2912 wrote to memory of 3064	2912	DEM4A0B.exe	34
PID 2912 wrote to memory of 3064	2912	DEM4A0B.exe	34
PID 2912 wrote to memory of 3064	2912	DEM4A0B.exe	34
PID 3064 wrote to memory of 2668	3064	DEMA055.exe	35
PID 3064 wrote to memory of 2668	3064	DEMA055.exe	35
PID 3064 wrote to memory of 2668	3064	DEMA055.exe	35
PID 3064 wrote to memory of 2668	3064	DEMA055.exe	35
PID 2668 wrote to memory of 2236	2668	DEMF602.exe	37
PID 2668 wrote to memory of 2236	2668	DEMF602.exe	37
PID 2668 wrote to memory of 2236	2668	DEMF602.exe	37
PID 2668 wrote to memory of 2236	2668	DEMF602.exe	37
PID 2236 wrote to memory of 2252	2236	DEM4B91.exe	39
PID 2236 wrote to memory of 2252	2236	DEM4B91.exe	39
PID 2236 wrote to memory of 2252	2236	DEM4B91.exe	39
PID 2236 wrote to memory of 2252	2236	DEM4B91.exe	39
PID 2252 wrote to memory of 2056	2252	DEMA12F.exe	41
PID 2252 wrote to memory of 2056	2252	DEMA12F.exe	41
PID 2252 wrote to memory of 2056	2252	DEMA12F.exe	41
PID 2252 wrote to memory of 2056	2252	DEMA12F.exe	41

C:\Users\Admin\AppData\Local\Temp\09fbb3f310ff4fad6d3f3e08edb658b7.exe
"C:\Users\Admin\AppData\Local\Temp\09fbb3f310ff4fad6d3f3e08edb658b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\DEM4A0B.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4A0B.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\DEMA055.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA055.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\DEMF602.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF602.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\DEM4B91.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4B91.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\DEMA12F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA12F.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\DEMF6FC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF6FC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMA055.exe

Filesize
14KB

MD5
3e288840847c8c58b7084c8562c4e699

SHA1
8703f22e963e1abc193079ebd931063f349588cd

SHA256
eab724444ad17243ce2df5c21bf97868e140373b1a42b793ed456d11395d679c

SHA512
74fa69fa4b2d1c7ca80a4b8453567e4ff7ff7c868e39b5d9112d015a8200e59fed128a470d384e96cd7862a5e0feceb766967d6928af9ebb616a6f1311e04d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF602.exe

Filesize
14KB

MD5
d6e64c305e97c31724bd2b22e6f43c7b

SHA1
5490e52325576ec52676c830dc4a35743b764802

SHA256
4b6845d1f2e03e4934a07d35039ebfda4b242b71f13fd78b01d1f0e7e99f6dbb

SHA512
2b3a9367541799dad65dfb2d431417a16a4ede513405bf85d177b2ceec5b79b893b2f85ea15a6b0758b66248a2512a7ed36890715615b16292d8521fa7bdc939

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF6FC.exe

Filesize
14KB

MD5
56c047947e89d1b1d62488d5eb9d5114

SHA1
9788962aa095447d3bd0454891bfd31d9d0123fd

SHA256
0d204d8cc203e8d471f661578c3ca311a932f0b234dea3e75cb50195bf1a86c1

SHA512
b52699f01b4de526cd245cec44750dfb5a550ef01f625b51f220c0434e9f859202fb8fe31bb2e92909092bce2aa052542efd582df7b10324a61fc9a21acfd3da

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4A0B.exe

Filesize
14KB

MD5
ffa0d97f5533304645c1808d2f2637c7

SHA1
292cde9ac25259756afe83a21dad351577297b05

SHA256
b10fedf954e92bf1b72f7936a603e23e310182c3d24555a947a6753b70aba931

SHA512
1176c47a360deebf42668cbb7685b80972b3a79f6b4de582e74431542764409ec98a554b2248e625a8a1a6be096feafccf43eee94655850ec7625141c0992c0c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4B91.exe

Filesize
14KB

MD5
40b390d8531f2c74e8eceb3c87c41884

SHA1
e6b0340e60a9a8a94802238a11b93c19e8399ea9

SHA256
5d2f56a63983e3f4ede1d72820860ac6b14d386f139a32fb3c2971ad98e04cee

SHA512
ba0f3d01fd0ada691a13bbfa274187fb6ded356a88a064d9b66773af0fe9cd88be388e2c6239d14f1bcc729c7f38d57cb4c0cf2139698796975e3f2fccee9ab8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA12F.exe

Filesize
14KB

MD5
6096df2b2f547ebabad05a35823ba96d

SHA1
199c823e5ff1ec53e9a3d18cbc68267491efa870

SHA256
dc2478cc12a665e65da4333276ec70a28839d54275e4071bd3d175f710ff53dd

SHA512
cfef22b9563042426f59b5019a269aa642a7947ea49e35e52061a9c49399e44cfb73993ee297facadc26d866b8d02903e358f73e18368501ef8010952f98e69f

Download Submit

Analysis

Sharing