a252276777ce3da28394e806bea4d30056d89c20b13e6d50b03ca97bb5ab9a2d

General

Target

12726f5e979504c1990586eea19d3229.exe
Size

14KB
MD5

12726f5e979504c1990586eea19d3229
SHA1

23e72fa0d8edbf946013b0261af9f0a4226ba576
SHA256

a252276777ce3da28394e806bea4d30056d89c20b13e6d50b03ca97bb5ab9a2d
SHA512

4904837268e5831b3c9b3c25f89e64c3e276957b85e94e3886bc58a03e0c38fa46b54a3cc80e2fbd37affc680ea2b73576dadf4f959a71dabed4f58099895d39
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYx:hDXWipuE+K3/SSHgxmx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2196	DEM4EDB.exe
2740	DEMA4C7.exe
2504	DEMFAC3.exe
1044	DEM5013.exe
2184	DEMA65D.exe
2560	DEMFB9E.exe

Loads dropped DLL 6 IoCs

pid	Process
2544	12726f5e979504c1990586eea19d3229.exe
2196	DEM4EDB.exe
2740	DEMA4C7.exe
2504	DEMFAC3.exe
1044	DEM5013.exe
2184	DEMA65D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2196	2544	12726f5e979504c1990586eea19d3229.exe	29
PID 2544 wrote to memory of 2196	2544	12726f5e979504c1990586eea19d3229.exe	29
PID 2544 wrote to memory of 2196	2544	12726f5e979504c1990586eea19d3229.exe	29
PID 2544 wrote to memory of 2196	2544	12726f5e979504c1990586eea19d3229.exe	29
PID 2196 wrote to memory of 2740	2196	DEM4EDB.exe	33
PID 2196 wrote to memory of 2740	2196	DEM4EDB.exe	33
PID 2196 wrote to memory of 2740	2196	DEM4EDB.exe	33
PID 2196 wrote to memory of 2740	2196	DEM4EDB.exe	33
PID 2740 wrote to memory of 2504	2740	DEMA4C7.exe	35
PID 2740 wrote to memory of 2504	2740	DEMA4C7.exe	35
PID 2740 wrote to memory of 2504	2740	DEMA4C7.exe	35
PID 2740 wrote to memory of 2504	2740	DEMA4C7.exe	35
PID 2504 wrote to memory of 1044	2504	DEMFAC3.exe	37
PID 2504 wrote to memory of 1044	2504	DEMFAC3.exe	37
PID 2504 wrote to memory of 1044	2504	DEMFAC3.exe	37
PID 2504 wrote to memory of 1044	2504	DEMFAC3.exe	37
PID 1044 wrote to memory of 2184	1044	DEM5013.exe	39
PID 1044 wrote to memory of 2184	1044	DEM5013.exe	39
PID 1044 wrote to memory of 2184	1044	DEM5013.exe	39
PID 1044 wrote to memory of 2184	1044	DEM5013.exe	39
PID 2184 wrote to memory of 2560	2184	DEMA65D.exe	41
PID 2184 wrote to memory of 2560	2184	DEMA65D.exe	41
PID 2184 wrote to memory of 2560	2184	DEMA65D.exe	41
PID 2184 wrote to memory of 2560	2184	DEMA65D.exe	41

C:\Users\Admin\AppData\Local\Temp\12726f5e979504c1990586eea19d3229.exe
"C:\Users\Admin\AppData\Local\Temp\12726f5e979504c1990586eea19d3229.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\DEM4EDB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM4EDB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\DEMFAC3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMFAC3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\DEM5013.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5013.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\DEMA65D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA65D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\DEMFB9E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFB9E.exe"
        7⤵
        Executes dropped EXE
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5013.exe

Filesize
14KB

MD5
c41780cd0b1ca0a17ce5f707f538d355

SHA1
a116a9dc2c96ce13671e35759a53416befbb359e

SHA256
bb0d866261e696978467a1b2a6884dbcdd3169f6138991e59d77286687d6b3ed

SHA512
5b7efc5f5c3a52c0885dbf9d2e2f6126a7c885e4eb13069118f5c66a87aa2919e52c4c371f4b3356aa712f579ecc25ec2041870da0fe293e49b4b9b00543eb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA4C7.exe

Filesize
14KB

MD5
745561e8741001efb43c4e13d5b2c0a6

SHA1
ca198b030cefbfe6edee4909405e73d27859787a

SHA256
90a1c252d5828410c8388da012628f1cebc4fdc7ff012b5688a5e6495c8b2e1f

SHA512
236acd4e3ecfcc36497c34cb83da8f02806ff5cf5021f6ff500e70b2f939e8e43100ac80b86bbf322d204e49318fde4349228e59023b93b37b2d4200774fe2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFAC3.exe

Filesize
14KB

MD5
fcc740514880efac9872580e4d78f8ae

SHA1
81f11d1aaf232bb2623c5ed5e2f389abefc7ba80

SHA256
ec1b81ebe6b61348673e6706b7812add614155fd957ff316c255c2e69a4496e1

SHA512
5ba727101faefd7b0dc76e01a8a326534f54f7de0605e417bcbc8b5e2f9bbb77b6a7b3eaaaed98fe105058c02e1d3987e951a2a30fee4487e229d0aef66d4684

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4EDB.exe

Filesize
14KB

MD5
9d3c2f592aa0a2762607e05a8a0fabd8

SHA1
a6dd838d411c2b8c2b310dcbf1d4ed9d2780235d

SHA256
aa34b84939bdd2a0cfb5a532ddeb1da9a396fde26dfb81052fcda59661633a32

SHA512
de423f4c0b570503ec01f2b0432fa79a5ca5ccc7a8b7d9cba6a395c6b5c491612165e617cf0e389f41cbe9af376498b5f3d2e4074ae57b8377c26a04aadd01c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMA65D.exe

Filesize
14KB

MD5
33bbb9162720807759758e033f590b47

SHA1
bdbeec10975147636901f8540b12e4e0918a706e

SHA256
a02fc00fbb73300a737b542f664cccf771c2d85dfb717765b50458e97e4612dd

SHA512
2a7a096ba7eb1b214b00e7c64df008fd13dc61933a0a5218d70642f6528497a91f14c8c8f47f5c779bf2219b335b35638494f7c9e83d5dcee2de9b9219eb1985

Download Submit
\Users\Admin\AppData\Local\Temp\DEMFB9E.exe

Filesize
14KB

MD5
1435aef6532d1359de63f72d857b01d5

SHA1
07a08f232c421643bb24f46cf71f4469bfe16ef4

SHA256
e2e84adf59c94d270985a16e2bab36245bf03a3f508c08e062d54db0aba18d5e

SHA512
6aac3da719bb9c4a0cffbab8a619f41f4487efa330e611916a497e20524da6810d3985471cdd4a5b5fc6ed898418429f5a9fddbde24b7cfc2354093cb1203181

Download Submit

Analysis

Sharing