6f562ae1d100954112f4db3f5ea6f3ae6a381b6669e3278cfa1b72f28cd5e720

General

Target

0d0a2208b855c142ebf061536d70913e.exe
Size

15KB
MD5

0d0a2208b855c142ebf061536d70913e
SHA1

1787cbd5f208f3a7de7eee3cd4c3a5e55a590845
SHA256

6f562ae1d100954112f4db3f5ea6f3ae6a381b6669e3278cfa1b72f28cd5e720
SHA512

2c438688b3c493ccffb3962d13e9bc4620ef8351a905acfff6c0d038a5ff379260cad193575f607b73159ab9f5b5742ca605da92f4315cbc83fec8545059e405
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYltrA:hDXWipuE+K3/SSHgxmltrA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2708	DEM6B22.exe
1192	DEMC0EF.exe
2972	DEM166E.exe
2888	DEM6BAE.exe
1860	DEMC15C.exe
2052	DEM1719.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	0d0a2208b855c142ebf061536d70913e.exe
2708	DEM6B22.exe
1192	DEMC0EF.exe
2972	DEM166E.exe
2888	DEM6BAE.exe
1860	DEMC15C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2708	2884	0d0a2208b855c142ebf061536d70913e.exe	29
PID 2884 wrote to memory of 2708	2884	0d0a2208b855c142ebf061536d70913e.exe	29
PID 2884 wrote to memory of 2708	2884	0d0a2208b855c142ebf061536d70913e.exe	29
PID 2884 wrote to memory of 2708	2884	0d0a2208b855c142ebf061536d70913e.exe	29
PID 2708 wrote to memory of 1192	2708	DEM6B22.exe	33
PID 2708 wrote to memory of 1192	2708	DEM6B22.exe	33
PID 2708 wrote to memory of 1192	2708	DEM6B22.exe	33
PID 2708 wrote to memory of 1192	2708	DEM6B22.exe	33
PID 1192 wrote to memory of 2972	1192	DEMC0EF.exe	35
PID 1192 wrote to memory of 2972	1192	DEMC0EF.exe	35
PID 1192 wrote to memory of 2972	1192	DEMC0EF.exe	35
PID 1192 wrote to memory of 2972	1192	DEMC0EF.exe	35
PID 2972 wrote to memory of 2888	2972	DEM166E.exe	37
PID 2972 wrote to memory of 2888	2972	DEM166E.exe	37
PID 2972 wrote to memory of 2888	2972	DEM166E.exe	37
PID 2972 wrote to memory of 2888	2972	DEM166E.exe	37
PID 2888 wrote to memory of 1860	2888	DEM6BAE.exe	39
PID 2888 wrote to memory of 1860	2888	DEM6BAE.exe	39
PID 2888 wrote to memory of 1860	2888	DEM6BAE.exe	39
PID 2888 wrote to memory of 1860	2888	DEM6BAE.exe	39
PID 1860 wrote to memory of 2052	1860	DEMC15C.exe	41
PID 1860 wrote to memory of 2052	1860	DEMC15C.exe	41
PID 1860 wrote to memory of 2052	1860	DEMC15C.exe	41
PID 1860 wrote to memory of 2052	1860	DEMC15C.exe	41

C:\Users\Admin\AppData\Local\Temp\0d0a2208b855c142ebf061536d70913e.exe
"C:\Users\Admin\AppData\Local\Temp\0d0a2208b855c142ebf061536d70913e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\DEM6B22.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6B22.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\DEMC0EF.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC0EF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\DEM166E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM166E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6BAE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\DEMC15C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC15C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\DEM1719.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1719.exe"
        7⤵
        Executes dropped EXE
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM166E.exe

Filesize
15KB

MD5
787afecf39efe5d6b913f526ce6a83f9

SHA1
5d7edd8655ef2ddea2156f35a7ce7f855de5314c

SHA256
9a479833cd570c3973fb1e2a18fb7ff4ebc9e49b5c188c3ad93e173fb6f667ca

SHA512
92bf5b8f7d2a0bbb96eed63d9f85c28df8e6db6e0ffe66bf5d61684ed693d4b172ee6bf5c7d681c6291ec44e830bd44beb929c8d7f8a9fd8622ce9bdfe40d17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC0EF.exe

Filesize
15KB

MD5
203c0c15a60d42af9f050864103d1e3a

SHA1
46e957c4b33f01ceda734d9fcd772c1e2717a8ca

SHA256
536ba338f5a6fad419f7be32396fa813d6671b38d82f9024d572eb34b48addb1

SHA512
1e0b97efe7669b0dc645c93152b847c4327d75462ca4c2f2cda19cc6f44f1270fb7b40d62d54d49b15aded8e86919bca231b7a2fd668ae1ecc60afa6621b5547

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1719.exe

Filesize
15KB

MD5
8c81f7046d676aa9e88dc2b77448adf3

SHA1
6503729b2df2252a70de8c84795be633f68908ce

SHA256
efa5d5245a5b8711eb6dccdc25d8df3c1f88515cd885f89c390df7acc35bc137

SHA512
172a17992f33ccb2ba1d52c0b8e83efdcfdc270e8962ff180768c8ed76d695b137e52dc1c2fb0350e871d8544baf79cfafa1b98df12b97ee8adc559be67bb029

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6B22.exe

Filesize
15KB

MD5
3e7e2f95b84df448ab7f807aa32e551e

SHA1
937d518025d7e90c5507390e0054be3603d593f9

SHA256
ef0da4ac613b2804c5bc2bd8a9398c9a176a6e3da612e71691b5af78b85a1e72

SHA512
10ee8acbe4b69f2a7afc624364e8be3132b05490b0fd85af89bdab5cbb92c78de876ee118f52c1aef788b2550bb6fe43f18dd7a0b2d94086cf686c0d2110a5e9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6BAE.exe

Filesize
15KB

MD5
6da8aba84e63a6f5d013890039aed734

SHA1
a7b5f0760a521159caca953b8ba8067ac7a2a06a

SHA256
e7d6c93a5407e9420c9f422dc3e7d6c0b3fd6af7e1a2f0b17bbe413093e3cd05

SHA512
0db259c9b2a797e6f3ce374b5e90dc84c18b95fc3f9a25e983ddbc3dc529a67c4c95bed08c65fe5bd409e6294b402fcfcb6ea525aadadf38d21b54ac373541e3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC15C.exe

Filesize
15KB

MD5
6ba1ca3406b1daf4690b79b9a4d691bc

SHA1
0f59d3a5e665e80afdc0b5b5f540be980d9e5a1b

SHA256
937d26c60889e4ae8faa328a520f37bbe75190c921404fd853199c441e848e76

SHA512
a3bdd32da2d2e12cb8d16c306704fedc7150af3929772594d20e5c3fa41b8a372c27cc2f38b614366310d0f13fec1248a0a4bec55fed639c72692e64a5ab2c01

Download Submit

Analysis

Sharing