e9d6d940ea9eb9d44accbecc9de6b28bf71fb1583b72f1627987c76c50186475

General

Target

1270129e048044cc8559fe9a415ef3d6.exe
Size

14KB
MD5

1270129e048044cc8559fe9a415ef3d6
SHA1

f778d1454743f681de39a8117f2c2fc17b140731
SHA256

e9d6d940ea9eb9d44accbecc9de6b28bf71fb1583b72f1627987c76c50186475
SHA512

e3eaa0de8e4453da3684888b392fd3fc90460d80f7d5b52b1cc8b1e4c1042d6aa61e6910cbbfd9c935902d97bd7cd97944999026298e4e8667692e24944356ae
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cz2:hDXWipuE+K3/SSHgx72

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2680	DEM907D.exe
2480	DEME6D6.exe
568	DEM3CE1.exe
1948	DEM92BE.exe
944	DEME8F8.exe
2304	DEM3EB5.exe

Loads dropped DLL 6 IoCs

pid	Process
812	1270129e048044cc8559fe9a415ef3d6.exe
2680	DEM907D.exe
2480	DEME6D6.exe
568	DEM3CE1.exe
1948	DEM92BE.exe
944	DEME8F8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2680	812	1270129e048044cc8559fe9a415ef3d6.exe	31
PID 812 wrote to memory of 2680	812	1270129e048044cc8559fe9a415ef3d6.exe	31
PID 812 wrote to memory of 2680	812	1270129e048044cc8559fe9a415ef3d6.exe	31
PID 812 wrote to memory of 2680	812	1270129e048044cc8559fe9a415ef3d6.exe	31
PID 2680 wrote to memory of 2480	2680	DEM907D.exe	33
PID 2680 wrote to memory of 2480	2680	DEM907D.exe	33
PID 2680 wrote to memory of 2480	2680	DEM907D.exe	33
PID 2680 wrote to memory of 2480	2680	DEM907D.exe	33
PID 2480 wrote to memory of 568	2480	DEME6D6.exe	35
PID 2480 wrote to memory of 568	2480	DEME6D6.exe	35
PID 2480 wrote to memory of 568	2480	DEME6D6.exe	35
PID 2480 wrote to memory of 568	2480	DEME6D6.exe	35
PID 568 wrote to memory of 1948	568	DEM3CE1.exe	37
PID 568 wrote to memory of 1948	568	DEM3CE1.exe	37
PID 568 wrote to memory of 1948	568	DEM3CE1.exe	37
PID 568 wrote to memory of 1948	568	DEM3CE1.exe	37
PID 1948 wrote to memory of 944	1948	DEM92BE.exe	39
PID 1948 wrote to memory of 944	1948	DEM92BE.exe	39
PID 1948 wrote to memory of 944	1948	DEM92BE.exe	39
PID 1948 wrote to memory of 944	1948	DEM92BE.exe	39
PID 944 wrote to memory of 2304	944	DEME8F8.exe	41
PID 944 wrote to memory of 2304	944	DEME8F8.exe	41
PID 944 wrote to memory of 2304	944	DEME8F8.exe	41
PID 944 wrote to memory of 2304	944	DEME8F8.exe	41

C:\Users\Admin\AppData\Local\Temp\1270129e048044cc8559fe9a415ef3d6.exe
"C:\Users\Admin\AppData\Local\Temp\1270129e048044cc8559fe9a415ef3d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\DEM907D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM907D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\DEME6D6.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME6D6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\DEM3CE1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3CE1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\DEME8F8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME8F8.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\DEM3EB5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3EB5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM3EB5.exe

Filesize
14KB

MD5
3e3afd74bb22d10262baf13e7ad24d62

SHA1
0640b8de22135447aa981edca22cad1c9541cbb1

SHA256
62bc565d0763fb6594bb39f3b2fe8eb55181acd52d700eaaee7649d31584c935

SHA512
753d3ccbfedb8c310b819a7d547d2f8bbe0c875593c03ee08b8d435e2bbf5ea7c927e35fe9413d36da31e985b227bde66ab11823ab59ff6c0ea60e95e76b593e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME6D6.exe

Filesize
14KB

MD5
9d7c1f55a13ddbbbc870880481751893

SHA1
1718034925e4bc4c9e4655ef4f45c6e06705b3cd

SHA256
d670354d11401ffad634a6d6aa4d90a631d95bb5a86d99b0ab23a71e83435dfe

SHA512
2d6cb850e0c18f116584de4e1abeec4ad586fe6702fe6230daa67cf34f97ade439cbb8202573f5fc444598abe69454b84e492e6e431ab29cbb5c89a8b8f2ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEME8F8.exe

Filesize
14KB

MD5
55de5d020abde6fd387303b6899c2411

SHA1
b655972a86361646b02ddbef702e078d5e6acdaa

SHA256
75869541f05be5d9b8e629b5175c4f08faaa849e928cc0aafd75085397c84fd4

SHA512
17849032e048b778c4364a40dd6e4b3a8e49af1ec4b35e9208d320424645c8ba1dea8d30e891c4d25475ea4d009e9a6f002c0d818eff75b9f9a30c8f0e626f09

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3CE1.exe

Filesize
14KB

MD5
a5717082c4ab0175a04366bdb4c9fed6

SHA1
ffc5b10e67f04a6c4bdb59351f5bf129d56c68c3

SHA256
ac01645d6e532939b38b53424c99ec056eae4ee3c6e26f91b36641fb112afc90

SHA512
12c216a10a6b462c79c8ed9347554ea6bdf6381447d76340b02ee7f9dcdc04efbace0227a736dee136e77617064e110d531507cc4f5552cc4452071649f1ca59

Download Submit
\Users\Admin\AppData\Local\Temp\DEM907D.exe

Filesize
14KB

MD5
dd04e3f073a7ee33a4070737812d3753

SHA1
9b13bfe29eacbe9ae6501a18aff9235ef547cc2e

SHA256
25f3b0d981839f7abc797c2d1604096eed5d72cfb047a28ad37581b8ac5be833

SHA512
0361af29ecfa96cc64e1d875fd3698dbb507160b6f06f5a97ca6003f34d9065798466d3368e30262743c4f3fcdd7636c80f08896d6625751c70adc2b0efa9d03

Download Submit
\Users\Admin\AppData\Local\Temp\DEM92BE.exe

Filesize
14KB

MD5
ac3f7a3c2f5b5be10da710b1a84ec43c

SHA1
45a85ec44358e9ddb68b8e0024f5e96f7315b193

SHA256
8635aae3f3122d9f8e4718e501d0d5ceb96ee51fb157bc546e22d696b44f109f

SHA512
1b187251f4396f010990ea8c45479ef1377723749d754a6313fd074644cd2c4e334c4c3291ab5ebf43374c5490ea5e6ed759f24b886e4717f7804401b4017c61

Download Submit

Analysis

Sharing