6adc10cdee74c540cf4b2f08aa56910cd99ac555754df3de69e3e5d4feadd746

General

Target

0a8d053ed7e8597ec76ccde176763576.exe
Size

14KB
MD5

0a8d053ed7e8597ec76ccde176763576
SHA1

a155e1c5b8fe174206ed36e92cf169bb5ed1573c
SHA256

6adc10cdee74c540cf4b2f08aa56910cd99ac555754df3de69e3e5d4feadd746
SHA512

f8435faa379a22f1583beb8f360ccb4b91230179f9900a1a444eee583c2494225c940abad40018a668a1a41bc1fdd9f739611f6f364b43b93ed2e9e48f2d1408
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhIFiQ:hDXWipuE+K3/SSHgxyFV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2708	DEMB37.exe
2148	DEM6171.exe
2772	DEMB6F0.exe
1560	DEMC21.exe
2024	DEM6172.exe
2248	DEMB6D1.exe

Loads dropped DLL 6 IoCs

pid	Process
1992	0a8d053ed7e8597ec76ccde176763576.exe
2708	DEMB37.exe
2148	DEM6171.exe
2772	DEMB6F0.exe
1560	DEMC21.exe
2024	DEM6172.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2708	1992	0a8d053ed7e8597ec76ccde176763576.exe	29
PID 1992 wrote to memory of 2708	1992	0a8d053ed7e8597ec76ccde176763576.exe	29
PID 1992 wrote to memory of 2708	1992	0a8d053ed7e8597ec76ccde176763576.exe	29
PID 1992 wrote to memory of 2708	1992	0a8d053ed7e8597ec76ccde176763576.exe	29
PID 2708 wrote to memory of 2148	2708	DEMB37.exe	31
PID 2708 wrote to memory of 2148	2708	DEMB37.exe	31
PID 2708 wrote to memory of 2148	2708	DEMB37.exe	31
PID 2708 wrote to memory of 2148	2708	DEMB37.exe	31
PID 2148 wrote to memory of 2772	2148	DEM6171.exe	36
PID 2148 wrote to memory of 2772	2148	DEM6171.exe	36
PID 2148 wrote to memory of 2772	2148	DEM6171.exe	36
PID 2148 wrote to memory of 2772	2148	DEM6171.exe	36
PID 2772 wrote to memory of 1560	2772	DEMB6F0.exe	37
PID 2772 wrote to memory of 1560	2772	DEMB6F0.exe	37
PID 2772 wrote to memory of 1560	2772	DEMB6F0.exe	37
PID 2772 wrote to memory of 1560	2772	DEMB6F0.exe	37
PID 1560 wrote to memory of 2024	1560	DEMC21.exe	39
PID 1560 wrote to memory of 2024	1560	DEMC21.exe	39
PID 1560 wrote to memory of 2024	1560	DEMC21.exe	39
PID 1560 wrote to memory of 2024	1560	DEMC21.exe	39
PID 2024 wrote to memory of 2248	2024	DEM6172.exe	41
PID 2024 wrote to memory of 2248	2024	DEM6172.exe	41
PID 2024 wrote to memory of 2248	2024	DEM6172.exe	41
PID 2024 wrote to memory of 2248	2024	DEM6172.exe	41

C:\Users\Admin\AppData\Local\Temp\0a8d053ed7e8597ec76ccde176763576.exe
"C:\Users\Admin\AppData\Local\Temp\0a8d053ed7e8597ec76ccde176763576.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\DEMB37.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB37.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\DEM6171.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6171.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\DEMB6F0.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB6F0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\DEMC21.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC21.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\DEM6172.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6172.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB6D1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6171.exe

Filesize
14KB

MD5
81225c1e141641edd4d56a62ee9fb061

SHA1
04a5787d13c34dee1da75edf58bc826248d303f1

SHA256
e68c3f9f6146eb745bb18a9a8fbad48ddbc33329bf15a275507e09797a001981

SHA512
13565d0b117cc08576e81c99d0ec7436e338d8908fc5f205cf093b399db1063e053bd1bbb2bdb46e3299dba00a3c0487f65051a19b2f462fea72e6c36be55873

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB6F0.exe

Filesize
14KB

MD5
3f66a0b3b6255413391c606d436b5c5d

SHA1
5f2fa7c8896ca156377bdd1b5e1e3301e94e9c78

SHA256
6a9d7473732863791c16c9728e117a52d77718f278a098812531f4498d120d45

SHA512
e34a934047614acbc5e3fc8f0c7244a63a37545653f13265ac67cf3083010d37d2cc5284643d150482dab79ef0e5d70e2caba0c0a5f0be6d002b9c3a497e0f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC21.exe

Filesize
14KB

MD5
1251f84457ff44fcca3c5522a374204e

SHA1
53170434c8465b75d4783271284fb6c865269fa2

SHA256
e34291c85b838f1966ef85c3ed2c9b988be2c17d107af6c819752fc5e8b8fee2

SHA512
ee3eecfef2f5ffdaa7abcd47bfa5d603adb8f16596ee99655e8902f26b030e9b77d6cf5f9a57634d44e1b1c92fed40a953a9bf09c7cda2da45b57189118fdd56

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6172.exe

Filesize
14KB

MD5
e4e751277e213c7c40032b015931f8c4

SHA1
181906dfcc73956473ac20852bbb33a185cb9d09

SHA256
ea2cd80f1a5aaa1b884122371ab56e4d9ad7b98ae3de2066c557f393cd2b8346

SHA512
2d1099aa4896930f16cd4a99312405239359a8d2048fb0a16aa662ee9e5c1b3d0cae627bea504336e9ab06cde522c984b7de6a09bf04fd5904a126cb2c65de48

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB37.exe

Filesize
14KB

MD5
188ffdd5901fe09106a2a41c794822ce

SHA1
46856700d8fca33781493caa1cd43433111b819d

SHA256
3b32ac4a84c5ace1c967260fded78df9f602da02910b81ff861e06b6a5c1be28

SHA512
8ce0db601438772a35ac91aac5577e732b35357c196f4e2bb549483e38bdbc177a9b532bc4527537dabfafe2b21f1b95dc3079706e29b40039573dcee486aaef

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB6D1.exe

Filesize
14KB

MD5
b24326ef594cf300cecd2384010c0144

SHA1
0855235059d9b3694bf731611b980c9daeea3fc5

SHA256
c653c7ae5cdd61f42480731ca8475efc1b68362e2d92cace62b5789158adc7e0

SHA512
2cf0eb1f0a0079fba62b0ccb74297df54826f211f8073a242ef6dfc67157dcdb140d56d7a7a3eb34c07379b37ed757abcfd7f193d93c4e1298c861868a599b6b

Download Submit

Analysis

Sharing