8dea97e974422a96d6e1f8b6299d2d2ce8ccc1c15fd9a02c0502db65bdd67dd3

General

Target

198421b2852793b18758617a2576fcfc.exe
Size

14KB
MD5

198421b2852793b18758617a2576fcfc
SHA1

ecc049d89d57b82b6d23814792a8096bf942f51a
SHA256

8dea97e974422a96d6e1f8b6299d2d2ce8ccc1c15fd9a02c0502db65bdd67dd3
SHA512

ce7cc0f881872bd96cdcdcea78fe75bf5ec1dbdc009c89b7e5a2a5095e65a2fa6bd8530adc83c6af6bad4c41db4103084d0f36eee9bb5606fd47b045e2e5760a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0pj+F:hDXWipuE+K3/SSHgx49W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2764	DEM56F6.exe
2864	DEMACC3.exe
2800	DEM261.exe
2988	DEM588C.exe
2948	DEMAE1A.exe
2360	DEM3C8.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	198421b2852793b18758617a2576fcfc.exe
2764	DEM56F6.exe
2864	DEMACC3.exe
2800	DEM261.exe
2988	DEM588C.exe
2948	DEMAE1A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2764	2536	198421b2852793b18758617a2576fcfc.exe	30
PID 2536 wrote to memory of 2764	2536	198421b2852793b18758617a2576fcfc.exe	30
PID 2536 wrote to memory of 2764	2536	198421b2852793b18758617a2576fcfc.exe	30
PID 2536 wrote to memory of 2764	2536	198421b2852793b18758617a2576fcfc.exe	30
PID 2764 wrote to memory of 2864	2764	DEM56F6.exe	34
PID 2764 wrote to memory of 2864	2764	DEM56F6.exe	34
PID 2764 wrote to memory of 2864	2764	DEM56F6.exe	34
PID 2764 wrote to memory of 2864	2764	DEM56F6.exe	34
PID 2864 wrote to memory of 2800	2864	DEMACC3.exe	35
PID 2864 wrote to memory of 2800	2864	DEMACC3.exe	35
PID 2864 wrote to memory of 2800	2864	DEMACC3.exe	35
PID 2864 wrote to memory of 2800	2864	DEMACC3.exe	35
PID 2800 wrote to memory of 2988	2800	DEM261.exe	37
PID 2800 wrote to memory of 2988	2800	DEM261.exe	37
PID 2800 wrote to memory of 2988	2800	DEM261.exe	37
PID 2800 wrote to memory of 2988	2800	DEM261.exe	37
PID 2988 wrote to memory of 2948	2988	DEM588C.exe	40
PID 2988 wrote to memory of 2948	2988	DEM588C.exe	40
PID 2988 wrote to memory of 2948	2988	DEM588C.exe	40
PID 2988 wrote to memory of 2948	2988	DEM588C.exe	40
PID 2948 wrote to memory of 2360	2948	DEMAE1A.exe	41
PID 2948 wrote to memory of 2360	2948	DEMAE1A.exe	41
PID 2948 wrote to memory of 2360	2948	DEMAE1A.exe	41
PID 2948 wrote to memory of 2360	2948	DEMAE1A.exe	41

C:\Users\Admin\AppData\Local\Temp\198421b2852793b18758617a2576fcfc.exe
"C:\Users\Admin\AppData\Local\Temp\198421b2852793b18758617a2576fcfc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\DEM56F6.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM56F6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\DEMACC3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMACC3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\DEM261.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM261.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\DEM588C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM588C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\DEM3C8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C8.exe"
        7⤵
        Executes dropped EXE
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM261.exe

Filesize
14KB

MD5
34cf7fba6d97020443365a591da4fafd

SHA1
580aa012f0bb21ee1301e92d3d8c482f006621dc

SHA256
a325054616cf50330c38750e72523e20080adb4b9d8dfd9c987d79eb9b63e001

SHA512
b9191cecf7feaadc7160712ba9794f3e5127170f5dbb766f0fc6a505039fd114e6a890c47646e0f0a972fdcc9610a8b77d57ceb87a5053871e8c0e6c98ca3480

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM56F6.exe

Filesize
14KB

MD5
3f70fe224f0e78ce880c53fe0087425d

SHA1
29932a26b08e55c3239b37cb41bdc50275dfcde1

SHA256
98b1f761c7d7d8085b66c836f5e3f2d4c361f2fb5bcdf47abd66c72e0790965e

SHA512
9d23e7c1b2ba0d79540a737d125a9fd989a7b520331e4c62563d08878a08c1427bae316d1ef0efbfd062bae64e97cb2789f220663fcc7eed8506b3483583bd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMACC3.exe

Filesize
14KB

MD5
1f3b5c5d018e3868631451582f2e7b58

SHA1
9bfbab8d72fededd916eacbe1a8b94879fbb578a

SHA256
ae0369c02f27145a691fec5707de1f0136f6602c37105d6093be135960030bb1

SHA512
8ad959880e4a131705e20257dc3f97bb71282a84aa3a4709df20a94525a89aaf7fb590edd12ee2bdef5529a99aa6ef133a035489b105fd3a821126ff823c2f6d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C8.exe

Filesize
14KB

MD5
05fb4b2a70273958bd89e2badba22b56

SHA1
603b9d68f57e0b865c81ee979a9b3965767cf191

SHA256
17921619a82a0f9725d94a7cacf2f8a03d1b35cce88f5767cb2014bff9f79213

SHA512
532f32ca2fe11a01a7a8198423a752b56d65d88c0617306b09e83607ca7cdca44cd38f8b4b8034da2e4ab5f3418915e75491465a2e48e0ca852fa0ffec5c3cde

Download Submit
\Users\Admin\AppData\Local\Temp\DEM588C.exe

Filesize
14KB

MD5
98e19361537d26be38e5b299995d137e

SHA1
20c06498f6693eec001b77465cec18501829bd25

SHA256
adfca28a222aa92461cb71af547134e572db354de745c6cbb714f5598abbb5e8

SHA512
507bc3f03e5db9af5eda99b66feb253cf54ede828235343c000a6e7ca7885f509e67e34f7284a78021a40af13a64b09ba5fc2a3549a1d94b7c9ccdc7bcee87f8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAE1A.exe

Filesize
14KB

MD5
153ea5b147df98b544a65536fcc29263

SHA1
006c45c1732a00e042551e0b76f5e08092d5723c

SHA256
865287af647028e38d9b2ef24e8e2d4cb77c3375925c4ba5055245c8f54e56db

SHA512
791e723baace70d91afeb641abf173830b33abba5dcc61f16bb8681bf336922a175b3d358582ee0002cc722595e2040d54460eb8d76127078287d3efabb33044

Download Submit

Analysis

Sharing