a8a56da9c57823233037114bc0c893f9aba0344a64e78828416fbf8fd43ba1a0

General

Target

0ce90937e2e1f05dd321aca8be2699c4.exe
Size

15KB
MD5

0ce90937e2e1f05dd321aca8be2699c4
SHA1

0a8e1f8c758564cbe490099cae8ed4d6d3c85e4c
SHA256

a8a56da9c57823233037114bc0c893f9aba0344a64e78828416fbf8fd43ba1a0
SHA512

a57dd3a6190b7fbdc2d4355967a1dfa350ff3929b9bb6c7dd5cf469562c0caee93e6bf9d9a0e32abc9075b6744037c10c695d18e95658a02e89068cedf2fc7d7
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxt:hDXWipuE+K3/SSHgxmHf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEM9138.exe
2600	DEME7B0.exe
868	DEM3E48.exe
1560	DEM9473.exe
1632	DEMEA6E.exe
2624	DEM405A.exe

Loads dropped DLL 6 IoCs

pid	Process
928	0ce90937e2e1f05dd321aca8be2699c4.exe
2664	DEM9138.exe
2600	DEME7B0.exe
868	DEM3E48.exe
1560	DEM9473.exe
1632	DEMEA6E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 2664	928	0ce90937e2e1f05dd321aca8be2699c4.exe	31
PID 928 wrote to memory of 2664	928	0ce90937e2e1f05dd321aca8be2699c4.exe	31
PID 928 wrote to memory of 2664	928	0ce90937e2e1f05dd321aca8be2699c4.exe	31
PID 928 wrote to memory of 2664	928	0ce90937e2e1f05dd321aca8be2699c4.exe	31
PID 2664 wrote to memory of 2600	2664	DEM9138.exe	33
PID 2664 wrote to memory of 2600	2664	DEM9138.exe	33
PID 2664 wrote to memory of 2600	2664	DEM9138.exe	33
PID 2664 wrote to memory of 2600	2664	DEM9138.exe	33
PID 2600 wrote to memory of 868	2600	DEME7B0.exe	35
PID 2600 wrote to memory of 868	2600	DEME7B0.exe	35
PID 2600 wrote to memory of 868	2600	DEME7B0.exe	35
PID 2600 wrote to memory of 868	2600	DEME7B0.exe	35
PID 868 wrote to memory of 1560	868	DEM3E48.exe	37
PID 868 wrote to memory of 1560	868	DEM3E48.exe	37
PID 868 wrote to memory of 1560	868	DEM3E48.exe	37
PID 868 wrote to memory of 1560	868	DEM3E48.exe	37
PID 1560 wrote to memory of 1632	1560	DEM9473.exe	39
PID 1560 wrote to memory of 1632	1560	DEM9473.exe	39
PID 1560 wrote to memory of 1632	1560	DEM9473.exe	39
PID 1560 wrote to memory of 1632	1560	DEM9473.exe	39
PID 1632 wrote to memory of 2624	1632	DEMEA6E.exe	41
PID 1632 wrote to memory of 2624	1632	DEMEA6E.exe	41
PID 1632 wrote to memory of 2624	1632	DEMEA6E.exe	41
PID 1632 wrote to memory of 2624	1632	DEMEA6E.exe	41

C:\Users\Admin\AppData\Local\Temp\0ce90937e2e1f05dd321aca8be2699c4.exe
"C:\Users\Admin\AppData\Local\Temp\0ce90937e2e1f05dd321aca8be2699c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\DEM9138.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM9138.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEME7B0.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME7B0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\DEM3E48.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3E48.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Users\Admin\AppData\Local\Temp\DEM9473.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9473.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\DEMEA6E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEA6E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\DEM405A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM405A.exe"
        7⤵
        Executes dropped EXE
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEME7B0.exe

Filesize
15KB

MD5
d44b34a07e5b3462ed052b4c60ac12b7

SHA1
d2acf36f9ab214570dd74c4316de17c3bc7db3ea

SHA256
0289a3ca0ae8473dd03da7d5df9e50dcc1362aa8585435dea1bd9d077fe8f07b

SHA512
bb6aa017b0d6a51876422bbdf152151b6324ede872974c84712d39ea688c0ca1044fca798e7af52d24b083e3e6bb6d0f9e1859f31bd6873b66c533701368255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMEA6E.exe

Filesize
15KB

MD5
754a27ebb76bdb39f67afc98b98daaa2

SHA1
c4b0570b8ee6e6c0527af6c3aa66c6e043d8a8ca

SHA256
5d61a26403e510503d7fb47b08ec9ff29eeb2347b5f0517a5b24c1112f1096b7

SHA512
bf737d662668ac72e3769a8c2616a402b4b89e8cee743d2d614a786b8a4fa86bb80a22fdea210ad675528434edcf93fee9e81222cc313ced66a45578e91f6f65

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3E48.exe

Filesize
15KB

MD5
e1df2f33fea76089d95677bf703a99fa

SHA1
da72963fc170cf42c3c3b87d5879b51863615482

SHA256
26431a166f64e593cadd383ad50e53ec61fa995ee86d03e606cc23553e3ad2cf

SHA512
f71c43c28d318dadce9e374d8b0d5be1ed2d36081ac52abe25e1d9ad5475c0fa958d2519727a1dbd97d6a771c5794616a72c9d04407121596fd4dd8fd4f90692

Download Submit
\Users\Admin\AppData\Local\Temp\DEM405A.exe

Filesize
15KB

MD5
46be1972c66e43066930a1eb94350e9f

SHA1
ad213abb8245f2b6255d81f3bed25684a1cc190b

SHA256
c82fecf4d3f94bc30cc1d251bd9464fbccb22b7ba523498aeab73bf9975613bc

SHA512
f5be32095ca02b280136df031a321277ddea98bc53d015984e783f74cca44b0b2d1deaa44524d914fe891540cbc3100964852546569b01cfaef96141cdaa559b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9138.exe

Filesize
15KB

MD5
7aac1e1a0c9f1391fc97e62b3ea0a9a9

SHA1
0a6f8ddabce1010bd89d1f1e5e7d61d04f928418

SHA256
d15427eaeaf6288601bb41d4aba0f028b496ba711af792af8af5ea484293f7a4

SHA512
822d699a4212ee7b498c6b2bae9aa97573f535bf0281bae729046b498031af4ab5c07b9a05a025fff35080d4b3e407ecb309d731205333e54053d63707894a75

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9473.exe

Filesize
15KB

MD5
772e1816b48b9ea912f58dece3a7ae17

SHA1
ce9b2fd17e952400c33c78a5d95256625942dc68

SHA256
738506614764672a0970d386da57472d5aaf195e59219f9c70efe74c7d012ebe

SHA512
691507a1c3469eef2c71764db656ff37153373343eef088f366986a418b7608c3965c089c04d4c392687ad34d273e05dc4528b8116261f21cfbc07a84e90d4ff

Download Submit

Analysis

Sharing