376bdff602070ba3904dc35629576287cb631872acf58097171e8721f25c86b4

General

Target

0dc03018dd94bdeee6a243af7e4c3ce0.exe
Size

14KB
MD5

0dc03018dd94bdeee6a243af7e4c3ce0
SHA1

bb6bdf5b2b8ca82c512845472f26e809f6e7a316
SHA256

376bdff602070ba3904dc35629576287cb631872acf58097171e8721f25c86b4
SHA512

f42077ba755212d6d5bb8d2f9c47314e1505c0a041ed32b742020a46f221df5c5786080a98120e022ad8a159ccf793981c00122a187ff684b4a062f8b34c28d2
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cny:hDXWipuE+K3/SSHgx/y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2720	DEMEEF.exe
2640	DEM645E.exe
2792	DEMBA1B.exe
824	DEMF7B.exe
2056	DEM64CB.exe
2328	DEMBA2B.exe

Loads dropped DLL 6 IoCs

pid	Process
2532	0dc03018dd94bdeee6a243af7e4c3ce0.exe
2720	DEMEEF.exe
2640	DEM645E.exe
2792	DEMBA1B.exe
824	DEMF7B.exe
2056	DEM64CB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2720	2532	0dc03018dd94bdeee6a243af7e4c3ce0.exe	29
PID 2532 wrote to memory of 2720	2532	0dc03018dd94bdeee6a243af7e4c3ce0.exe	29
PID 2532 wrote to memory of 2720	2532	0dc03018dd94bdeee6a243af7e4c3ce0.exe	29
PID 2532 wrote to memory of 2720	2532	0dc03018dd94bdeee6a243af7e4c3ce0.exe	29
PID 2720 wrote to memory of 2640	2720	DEMEEF.exe	31
PID 2720 wrote to memory of 2640	2720	DEMEEF.exe	31
PID 2720 wrote to memory of 2640	2720	DEMEEF.exe	31
PID 2720 wrote to memory of 2640	2720	DEMEEF.exe	31
PID 2640 wrote to memory of 2792	2640	DEM645E.exe	35
PID 2640 wrote to memory of 2792	2640	DEM645E.exe	35
PID 2640 wrote to memory of 2792	2640	DEM645E.exe	35
PID 2640 wrote to memory of 2792	2640	DEM645E.exe	35
PID 2792 wrote to memory of 824	2792	DEMBA1B.exe	37
PID 2792 wrote to memory of 824	2792	DEMBA1B.exe	37
PID 2792 wrote to memory of 824	2792	DEMBA1B.exe	37
PID 2792 wrote to memory of 824	2792	DEMBA1B.exe	37
PID 824 wrote to memory of 2056	824	DEMF7B.exe	40
PID 824 wrote to memory of 2056	824	DEMF7B.exe	40
PID 824 wrote to memory of 2056	824	DEMF7B.exe	40
PID 824 wrote to memory of 2056	824	DEMF7B.exe	40
PID 2056 wrote to memory of 2328	2056	DEM64CB.exe	41
PID 2056 wrote to memory of 2328	2056	DEM64CB.exe	41
PID 2056 wrote to memory of 2328	2056	DEM64CB.exe	41
PID 2056 wrote to memory of 2328	2056	DEM64CB.exe	41

C:\Users\Admin\AppData\Local\Temp\0dc03018dd94bdeee6a243af7e4c3ce0.exe
"C:\Users\Admin\AppData\Local\Temp\0dc03018dd94bdeee6a243af7e4c3ce0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\DEMEEF.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMEEF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\DEM645E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM645E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\DEMBA1B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBA1B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\DEMF7B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF7B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Users\Admin\AppData\Local\Temp\DEM64CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM64CB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\DEMBA2B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBA2B.exe"
        7⤵
        Executes dropped EXE
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM645E.exe

Filesize
14KB

MD5
fe1cc9a62762659a418f7f9914244ec0

SHA1
c16205c37cb6d2d538811f6a7ef87da1eb5bbe3a

SHA256
8d7bc5061b117e65c7c2ba80affaf4e3c65f517447f4107773d7c982d79f921c

SHA512
a9065504c37ca8d6f678a1aa2ccffdbbeb485eb50ba8f461c2b58490a503fcf8b8b3e6acc709f0d386a7020269c46a9bd94a14e5fa08939b073c082f1c1f64bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM64CB.exe

Filesize
14KB

MD5
5202150e3069a2e2ceb859fc9918b094

SHA1
a8c3005515a0825819713824e4c9164e2fe1747d

SHA256
e83810d438c0daf30a56de1e1158bb936a0543e5dc073c9323eea1341ae625f9

SHA512
d6b108a69dc8a255bdda2b0c58d14f1bcc5c120751cf079c77f6ac70f799367d01725916d8ed067edef794a4fae3b66da249f243c63741088e2113709592fc47

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA1B.exe

Filesize
14KB

MD5
3da2022640a8fb16908ae656b00a8a7c

SHA1
d2267edb13a8c6ddddf7ddf8bb948764c1ea3c06

SHA256
aa1c22b314940c2e6ebfad6b9524d9f0a00501b2d86754d67414423d20fd9167

SHA512
a559ed7f766c1c8b4763d72fe13985f49e7b9200e4a45a4eeb3baf52162014cc84a3431aae8cb4d27bf07e114f76c38878a9bd514e1404a1740937ef4f3d0119

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBA2B.exe

Filesize
14KB

MD5
134a8e93451ebf7acc3ad2a3d1be0f9e

SHA1
0db1e748c41294e4d3bf7ac255cb1a2b7d7e2d36

SHA256
2dddf527633179de374029fee02e6270a6734822b9a57f93c3c8cf5ac1439cfa

SHA512
a62e46e42b8afdb4f441a4676cd70a48d3711ae4e156e1a7f1e1c4dfa5ddf03245da030db618f4a20a7adb39ac3aae8aa7b500b74469524aa6c942e310868922

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEEF.exe

Filesize
14KB

MD5
41f7166b87db2c1f3f5cc1975f3d802f

SHA1
5f50c9287cb510d7836ca52620666e1e7742f62d

SHA256
08dc666ce4944e5a19fb67a0d6fedcbb2d96ef425dd55a45d3ca97c0e30877af

SHA512
49d49f517bf312b0a83153114c67c7369083274237d2524560c11debbd64f08f551438dcda8d0c5ab14db16cf884dcf93638b55dcbcdd4df1ced2d303aaa16b3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF7B.exe

Filesize
14KB

MD5
73739c6dd381526d46263a49a056a1e3

SHA1
3aa1a630b49472b9adfe8e922c6f67de36af8ba2

SHA256
bd0103207530ff5d49486df3001dccc94e6232d37bd49da4670bef6352cf4a49

SHA512
dc884509cbb32011d971c6d0ebbd435bdad3de30dc96a8df8a9a830c175857af0ad6ccb4c6fd51b8dd828aa62245772f80b6eaff305bad5a3fc2e343bf6b6224

Download Submit

Analysis

Sharing