32e48000a974465250eaeab8c1a7535283e5ebc2733be99c8717e7f431498298

General

Target

11b0a1ed175564ebb712f8d5d45eec5c.exe
Size

15KB
MD5

11b0a1ed175564ebb712f8d5d45eec5c
SHA1

fa6570173fe649a99569dfc1ef8b25cb59f72c27
SHA256

32e48000a974465250eaeab8c1a7535283e5ebc2733be99c8717e7f431498298
SHA512

10b199d0c9b04e1eadba59d350754a9eb4a781f4dff6bf61fad0402b1b6923a9d1504ed22f0aa888583ca768f5a59f91bc297e102ea823053e8596a129c0c33e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYY:hDXWipuE+K3/SSHgxmY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2836	DEM3CC2.exe
2432	DEM92BE.exe
2132	DEME8AA.exe
2992	DEM3E29.exe
3016	DEM9434.exe
844	DEME984.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	11b0a1ed175564ebb712f8d5d45eec5c.exe
2836	DEM3CC2.exe
2432	DEM92BE.exe
2132	DEME8AA.exe
2992	DEM3E29.exe
3016	DEM9434.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2836	2420	11b0a1ed175564ebb712f8d5d45eec5c.exe	29
PID 2420 wrote to memory of 2836	2420	11b0a1ed175564ebb712f8d5d45eec5c.exe	29
PID 2420 wrote to memory of 2836	2420	11b0a1ed175564ebb712f8d5d45eec5c.exe	29
PID 2420 wrote to memory of 2836	2420	11b0a1ed175564ebb712f8d5d45eec5c.exe	29
PID 2836 wrote to memory of 2432	2836	DEM3CC2.exe	34
PID 2836 wrote to memory of 2432	2836	DEM3CC2.exe	34
PID 2836 wrote to memory of 2432	2836	DEM3CC2.exe	34
PID 2836 wrote to memory of 2432	2836	DEM3CC2.exe	34
PID 2432 wrote to memory of 2132	2432	DEM92BE.exe	35
PID 2432 wrote to memory of 2132	2432	DEM92BE.exe	35
PID 2432 wrote to memory of 2132	2432	DEM92BE.exe	35
PID 2432 wrote to memory of 2132	2432	DEM92BE.exe	35
PID 2132 wrote to memory of 2992	2132	DEME8AA.exe	37
PID 2132 wrote to memory of 2992	2132	DEME8AA.exe	37
PID 2132 wrote to memory of 2992	2132	DEME8AA.exe	37
PID 2132 wrote to memory of 2992	2132	DEME8AA.exe	37
PID 2992 wrote to memory of 3016	2992	DEM3E29.exe	40
PID 2992 wrote to memory of 3016	2992	DEM3E29.exe	40
PID 2992 wrote to memory of 3016	2992	DEM3E29.exe	40
PID 2992 wrote to memory of 3016	2992	DEM3E29.exe	40
PID 3016 wrote to memory of 844	3016	DEM9434.exe	41
PID 3016 wrote to memory of 844	3016	DEM9434.exe	41
PID 3016 wrote to memory of 844	3016	DEM9434.exe	41
PID 3016 wrote to memory of 844	3016	DEM9434.exe	41

C:\Users\Admin\AppData\Local\Temp\11b0a1ed175564ebb712f8d5d45eec5c.exe
"C:\Users\Admin\AppData\Local\Temp\11b0a1ed175564ebb712f8d5d45eec5c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\DEM3CC2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3CC2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3E29.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\DEM9434.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9434.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\DEME984.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME984.exe"
        7⤵
        Executes dropped EXE
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe

Filesize
15KB

MD5
0099b18d862efe3791525050336d2e08

SHA1
fc9af9be13388ad3ece05d76ed4953cce6b3d0cb

SHA256
269fe9e4354469a5eba818f44315dceec67b84a83d5e16d65fea5b1a7f1574b0

SHA512
57d5ba1f47c6192b2f1d7f49fbc9d688d503e156af19022c1c13fea7c054276e92f9261b6c8913ee1d62354284782d892b268031dfee986e9820ea4788641cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9434.exe

Filesize
15KB

MD5
b450bfc6d62fdf8eb1ef1df56f2aafb0

SHA1
30b9228b348eab48788d61e2660d433dd67d240b

SHA256
15e5aae5720364294a923794ce2060cb79bbfdc6337ecbe1343f09490b2bb16c

SHA512
ec90663e4724c53c7dffafdc42f088f3dfb7a81a1bc3395b75670f33cbc2a96dfd5e3747980d368178be8a7dd99c3c75e56ccd0838ee77eaf5b18bd48d8746aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME8AA.exe

Filesize
15KB

MD5
a15a70840e598557691cd2724381246c

SHA1
897718dbb19686d34dc3eb6410dee2b231196834

SHA256
4a84375cd6c20a6a454555cee3aba905a1851eff9dbe29f39042804f39ffc049

SHA512
f3bfcecbc9cbba57d1dcd7c1ba7a6b7c30c30e213f235e9523f83a8e6f3b6eec2a7383e48a54dcef9f5ea1fcc06fac2ebe2a0d072cbaf0bd522058d61684eb09

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3CC2.exe

Filesize
15KB

MD5
860a2381afd08b2fe91ca3cdc343f58a

SHA1
2d2b8bbf4fbbcd6b55e83721b55ea436585881d0

SHA256
2af058b2278970b5d5f62f41b318b2737be7b01fd6943f58d0c2b3ec425afff7

SHA512
399ae517988e992c1eacdd87d12bff33464d6e16d2209c98e785371ac5957833c5872b74aaacb67a49a072a6ad163ff6aa32f443c1392b829e9ba53d56526a07

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3E29.exe

Filesize
15KB

MD5
190925f75bb951045e3cdf48d48c4e18

SHA1
08d59d057aae45432a7bfbb50dd81521edb983bc

SHA256
201fed0d006418bcd87b0a23905868ec250bde40ae6c242a80f32d1b78da35ca

SHA512
fc8677ff300a56a35b7bd42a7dfe65472d1bbd6b520cecd03439a77a7c15442062e35356a8a1187d2d11821270ba3ddfe5c106ced1dd81e83290db464c0719ed

Download Submit
\Users\Admin\AppData\Local\Temp\DEME984.exe

Filesize
15KB

MD5
e767db7068fbf70d29d83a89066031c9

SHA1
120ae15a8eba85e31b78b367747f3e6c50c6bab6

SHA256
fc1ff702a4ea488cd52ea061edb0e4e7a9bfbd9ee16ed98b78772b658409eb33

SHA512
13d12a8c88c05f5b47b57b0d505d4ec003bcbf57dcaeb0d1ea66de7f243326b7e9c1f408a4069333115e46cef497d3d8a24992b83533807e9365565cd42cee64

Download Submit

Analysis

Sharing