699bcfcbced15c4bea4320ada939072b82c93a8263ee18caf2f66dacff8223ec

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d320338547912a20ae2209247d99265.exe
Size

16KB
MD5

0d320338547912a20ae2209247d99265
SHA1

91ddb05090a4841e1739cfc06847e444cb20a4f4
SHA256

699bcfcbced15c4bea4320ada939072b82c93a8263ee18caf2f66dacff8223ec
SHA512

e5ca38a4a671e3fc7638f73718f0a9d75ac51c04c90c40c264808c316c8aa20e90a229fd9be83013469140f829ed51d50bdb0967a06226ca66c689f404e7f7a5
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY+SmZU:hDXWipuE+K3/SSHgxm+LW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2864	DEM4B81.exe
2668	DEM8FC1.exe
2860	DEME560.exe
1840	DEM3B0D.exe
1184	DEM90BB.exe
1312	DEME6A7.exe
2436	DEM3C36.exe

Loads dropped DLL 7 IoCs

pid	Process
2116	0d320338547912a20ae2209247d99265.exe
2864	DEM4B81.exe
2668	DEM8FC1.exe
2860	DEME560.exe
1840	DEM3B0D.exe
1184	DEM90BB.exe
1312	DEME6A7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2864	2116	0d320338547912a20ae2209247d99265.exe	29
PID 2116 wrote to memory of 2864	2116	0d320338547912a20ae2209247d99265.exe	29
PID 2116 wrote to memory of 2864	2116	0d320338547912a20ae2209247d99265.exe	29
PID 2116 wrote to memory of 2864	2116	0d320338547912a20ae2209247d99265.exe	29
PID 2864 wrote to memory of 2668	2864	DEM4B81.exe	33
PID 2864 wrote to memory of 2668	2864	DEM4B81.exe	33
PID 2864 wrote to memory of 2668	2864	DEM4B81.exe	33
PID 2864 wrote to memory of 2668	2864	DEM4B81.exe	33
PID 2668 wrote to memory of 2860	2668	DEM8FC1.exe	35
PID 2668 wrote to memory of 2860	2668	DEM8FC1.exe	35
PID 2668 wrote to memory of 2860	2668	DEM8FC1.exe	35
PID 2668 wrote to memory of 2860	2668	DEM8FC1.exe	35
PID 2860 wrote to memory of 1840	2860	DEME560.exe	37
PID 2860 wrote to memory of 1840	2860	DEME560.exe	37
PID 2860 wrote to memory of 1840	2860	DEME560.exe	37
PID 2860 wrote to memory of 1840	2860	DEME560.exe	37
PID 1840 wrote to memory of 1184	1840	DEM3B0D.exe	39
PID 1840 wrote to memory of 1184	1840	DEM3B0D.exe	39
PID 1840 wrote to memory of 1184	1840	DEM3B0D.exe	39
PID 1840 wrote to memory of 1184	1840	DEM3B0D.exe	39
PID 1184 wrote to memory of 1312	1184	DEM90BB.exe	41
PID 1184 wrote to memory of 1312	1184	DEM90BB.exe	41
PID 1184 wrote to memory of 1312	1184	DEM90BB.exe	41
PID 1184 wrote to memory of 1312	1184	DEM90BB.exe	41
PID 1312 wrote to memory of 2436	1312	DEME6A7.exe	43
PID 1312 wrote to memory of 2436	1312	DEME6A7.exe	43
PID 1312 wrote to memory of 2436	1312	DEME6A7.exe	43
PID 1312 wrote to memory of 2436	1312	DEME6A7.exe	43

C:\Users\Admin\AppData\Local\Temp\0d320338547912a20ae2209247d99265.exe
"C:\Users\Admin\AppData\Local\Temp\0d320338547912a20ae2209247d99265.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\DEME560.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME560.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Users\Admin\AppData\Local\Temp\DEM90BB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM90BB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME6A7.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe"
        8⤵
        Executes dropped EXE
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3B0D.exe

Filesize
16KB

MD5
c1937d13a7a6a5a9bb8522dda30f5da7

SHA1
1089912d9271cf01ce538cd8a1b779116359f9a0

SHA256
f580da54a908c5eb93542e4709632120cb0f8040d11134fecedd0bb789188a4a

SHA512
f5dd098e80e1fa100d28612f0df7495f5025098728f6500856818d3c84ea6326e84292d8a1d2cfd09c192ab90799993b467d773a9766b423b2f35f0deab8b299

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM3C36.exe

Filesize
16KB

MD5
3ee7c530fbdd58c00e38f97991460919

SHA1
b9f4e19b38a0fdbefb9a8bc46a6c0770d5562d79

SHA256
ad31d690deec83723145d3a7358f02e43590eaa6dbbeedc168a01b2374dee6fa

SHA512
39fde3b3f9a12d5a49fb08b991a80467af4353de777d0db98d2304825cfea98cc6a10115d4088c756ee2abcd75fa1d2f77241b29e5d5dfcb27a7e1190b94836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM4B81.exe

Filesize
16KB

MD5
823e49be39310460f0d1972fa0e593ed

SHA1
e612432fb630bc7d3204796b9f44be146c7b59a0

SHA256
79402f4456c31a940b314bacfac880f803d1a387aa6ee2cdce04e2185c6a0fad

SHA512
e69a09bf5e24b14af0ccbb9eaeac7b007750468ab1b3cee92bdc69f11f5a5ef63c2fbe47e0a753af97e4d6a378c94ff536ac215e9e0a13bada926290bf5f495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe

Filesize
16KB

MD5
29f2698b18b9bb58b65f6cca8e82c055

SHA1
d025fcc035850c2eab71ce1131c96ac9f3ef6d38

SHA256
9291beb32724ca18a7b67cb5ac2b5617f22463f857f5d9824fd26c6ffcd8b0c2

SHA512
1b2002423d3594a908fa53e3b5e03b3d959a76fb78330a98c7f07961e440135ad8d653268325f6cae641d16747ea90f9a4bbb0c62efb1bc825eefc64b65f67b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME560.exe

Filesize
16KB

MD5
b468018084ae6713b6a8eef12dc813ca

SHA1
4477a7498dcda98eaedf1caa0514d24657140655

SHA256
27a18e01b3db0c277edbd8973b094ecf35658543d00ca09ad44a8c4a67821059

SHA512
75163d0fd414abaf5e208681aa8f307924a50408b02bfd8bd260e7f91c6be40808efb4c666d3f7948ef024dca55dde92e22cba68530580dda8da3bd993a48962

Download Submit
\Users\Admin\AppData\Local\Temp\DEM90BB.exe

Filesize
16KB

MD5
82991d86a7045f76d1afe5b6c3f9409a

SHA1
a6d6543465c569bd2d35bf8ed1323d0a99473e9d

SHA256
e98adf1eb4a5ce98cb23ecccc369be6b3702b34f3a5e35e9cabd11681280b758

SHA512
be382ea4421b8d6f47342980427fe38013c2291340ec24b26976255acb8863b147a0e5562998963dc1431108be81ad52257aeafc73213e5ae3674cf870145470

Download Submit
\Users\Admin\AppData\Local\Temp\DEME6A7.exe

Filesize
16KB

MD5
edc833903c399647a7f651d8176ae04a

SHA1
591d52b52de8bce9b15ddde9267b28aaa103c6a2

SHA256
edd6bc1f22d2d0040ef796a4ad1eaecf21c87453a1cfd448e6fd596dbc6a6969

SHA512
f3735fc23ddb73384f61faefc89089a953c3051683ca6ec2cab553db33e1ca0a9c9d285145a0860194310ac4e5be65abb187444cac2977564ae3b0785a659fa1

Download Submit