b76fea0a739fe42587f63684af84abcf14193c0b163978e096ca91cd539b1f8a

General

Target

0ad2917f96f0cf25709e44386f8c77a7.exe
Size

14KB
MD5

0ad2917f96f0cf25709e44386f8c77a7
SHA1

173bd840acf05bfda729a99ad64b30806ea0d7ab
SHA256

b76fea0a739fe42587f63684af84abcf14193c0b163978e096ca91cd539b1f8a
SHA512

7263d5c573aa87b5fd3065182eb13beed1edc3db8e528c418f77ca91851f03b50dc590f13837119872fb84b10e9eaee58e42a0fa24f637ad99e03a2b58b6ec1c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnJ:hDXWipuE+K3/SSHgx/J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2292	DEM1C57.exe
2612	DEM7188.exe
2444	DEMC6D8.exe
1800	DEM1C66.exe
1300	DEM71D6.exe
2564	DEMC783.exe

Loads dropped DLL 6 IoCs

pid	Process
2252	0ad2917f96f0cf25709e44386f8c77a7.exe
2292	DEM1C57.exe
2612	DEM7188.exe
2444	DEMC6D8.exe
1800	DEM1C66.exe
1300	DEM71D6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2292	2252	0ad2917f96f0cf25709e44386f8c77a7.exe	29
PID 2252 wrote to memory of 2292	2252	0ad2917f96f0cf25709e44386f8c77a7.exe	29
PID 2252 wrote to memory of 2292	2252	0ad2917f96f0cf25709e44386f8c77a7.exe	29
PID 2252 wrote to memory of 2292	2252	0ad2917f96f0cf25709e44386f8c77a7.exe	29
PID 2292 wrote to memory of 2612	2292	DEM1C57.exe	31
PID 2292 wrote to memory of 2612	2292	DEM1C57.exe	31
PID 2292 wrote to memory of 2612	2292	DEM1C57.exe	31
PID 2292 wrote to memory of 2612	2292	DEM1C57.exe	31
PID 2612 wrote to memory of 2444	2612	DEM7188.exe	35
PID 2612 wrote to memory of 2444	2612	DEM7188.exe	35
PID 2612 wrote to memory of 2444	2612	DEM7188.exe	35
PID 2612 wrote to memory of 2444	2612	DEM7188.exe	35
PID 2444 wrote to memory of 1800	2444	DEMC6D8.exe	37
PID 2444 wrote to memory of 1800	2444	DEMC6D8.exe	37
PID 2444 wrote to memory of 1800	2444	DEMC6D8.exe	37
PID 2444 wrote to memory of 1800	2444	DEMC6D8.exe	37
PID 1800 wrote to memory of 1300	1800	DEM1C66.exe	39
PID 1800 wrote to memory of 1300	1800	DEM1C66.exe	39
PID 1800 wrote to memory of 1300	1800	DEM1C66.exe	39
PID 1800 wrote to memory of 1300	1800	DEM1C66.exe	39
PID 1300 wrote to memory of 2564	1300	DEM71D6.exe	41
PID 1300 wrote to memory of 2564	1300	DEM71D6.exe	41
PID 1300 wrote to memory of 2564	1300	DEM71D6.exe	41
PID 1300 wrote to memory of 2564	1300	DEM71D6.exe	41

C:\Users\Admin\AppData\Local\Temp\0ad2917f96f0cf25709e44386f8c77a7.exe
"C:\Users\Admin\AppData\Local\Temp\0ad2917f96f0cf25709e44386f8c77a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\DEM1C57.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1C57.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\DEM7188.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM7188.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\DEMC6D8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC6D8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\DEM1C66.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1C66.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\DEM71D6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM71D6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\DEMC783.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC783.exe"
        7⤵
        Executes dropped EXE
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM7188.exe

Filesize
14KB

MD5
d63edde59e3329aebfc4e8f4ac814704

SHA1
7526d315aef35c9941111c44ca148859cf0fcd25

SHA256
4fd1f9f4d7b2ac6c74bf6846151089743822b5247681a100700bd97739ebb6a3

SHA512
a0fff49b2ac172580e6b2ef10329cb5449679739e80de4ef69680195d35b8694f1437d5195fdec68079ba8965a7896d2a0a19698c06ce1a67fda4eb76391ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC783.exe

Filesize
14KB

MD5
9025ee796ee1f298822a1e71d7cae720

SHA1
2cf77be3816cd5d33bd14946839d5678be703ba4

SHA256
a82bbcbca3c55912bfe3efdec82ec92061a72288f58cd6ab63685bfbf2ff653a

SHA512
d73e975ce66ce098fd7be7734dcacf9ead81cc3e441d2c8dcd39ed8a70f17a6d94f05993e2c2ae7da1aaaf41d209e0f6ebeb155e793ed24b46b86080052cbf13

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1C57.exe

Filesize
14KB

MD5
7f17a80031dca2e7d8fd0e85b9d2efd1

SHA1
407adfe06c42c5298cd5001544efdcac99357d9f

SHA256
6f41f37df844853680ea25045c923246cc34877b292f4577aeb53c14bbd18dbf

SHA512
3a2bf34c89c7115b8092e7921dddab13002a8460f3fc34f10a0c458cfbebbcec152e53be5e387b3e08c7fcb90479eb386efd061cff689a4c345c837f76678ae9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1C66.exe

Filesize
14KB

MD5
40f57fca3cafb856492b470f3b62cb5d

SHA1
2a40ff067f226ad4c73bfa44e547b08cd764a0cb

SHA256
17304c17f29bd05cd0cc45728c03c4edc46db56209d0c4bcea3f1ea795f2a29b

SHA512
312dd70298003f0647c6240058c2629840e0117627274434410e174a380f25a42cf0405898e7dd41511e62e84943278fb6dc16faf03e20c537071d9e60dd1feb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM71D6.exe

Filesize
14KB

MD5
c6c0a83fa74415c099a2bd997838461d

SHA1
3d5a4e6a7104040bd680224dd87dd40dd2d2a7f4

SHA256
2bba9ab6b7d6f2e3c2778876315c1c2f9000486bd66955f8c58c94c13da0ff5a

SHA512
ffb8d302ba93a3415b1a6d43f9bbda4dad8672046072536fc3484d0a09655bbb8e19cd328f97ba059b3f7a9c3540c77d94ab0940ecb8b2851bd5a30ed39b42a2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC6D8.exe

Filesize
14KB

MD5
98577e2e4ac0631ee6843bc1d12d2fab

SHA1
35473d9b053a5ea37befdf94138374cab15afa31

SHA256
2394961034e030e82266e4f4e2d94a19e3a8c53392ef0d48182b8618d21ab0dc

SHA512
79e019441a044a49c494fbabcd881989ba7f8d041474eab5006ce98d9b7f74ca8ef4cab2773acddf269042875767757ba07173af3995e2ae6c3e80afd67f3489

Download Submit

Analysis

Sharing