2f9c1d9c805b36a1cf6e864e0696f7d07aabc6695e7182fe40875f9b5939014e

General

Target

12b61965d6ce078b95fca08a12076b48.exe
Size

16KB
MD5

12b61965d6ce078b95fca08a12076b48
SHA1

66de8451edcce58b9e9786292846d23cba870d34
SHA256

2f9c1d9c805b36a1cf6e864e0696f7d07aabc6695e7182fe40875f9b5939014e
SHA512

6d97c7405fd8614aa10580994d162ef0435a80c646581d8b44f1d39fb9a3104730222df9aa90a77822b0af9466494e619ec3f59343810c408e487ae950a0c339
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl1:hDXWipuE+K3/SSHgxml1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2804	DEM3459.exe
2668	DEM8B8D.exe
2928	DEME206.exe
1976	DEM37A4.exe
836	DEM8E1C.exe
2100	DEME485.exe

Loads dropped DLL 6 IoCs

pid	Process
1128	12b61965d6ce078b95fca08a12076b48.exe
2804	DEM3459.exe
2668	DEM8B8D.exe
2928	DEME206.exe
1976	DEM37A4.exe
836	DEM8E1C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2804	1128	12b61965d6ce078b95fca08a12076b48.exe	29
PID 1128 wrote to memory of 2804	1128	12b61965d6ce078b95fca08a12076b48.exe	29
PID 1128 wrote to memory of 2804	1128	12b61965d6ce078b95fca08a12076b48.exe	29
PID 1128 wrote to memory of 2804	1128	12b61965d6ce078b95fca08a12076b48.exe	29
PID 2804 wrote to memory of 2668	2804	DEM3459.exe	33
PID 2804 wrote to memory of 2668	2804	DEM3459.exe	33
PID 2804 wrote to memory of 2668	2804	DEM3459.exe	33
PID 2804 wrote to memory of 2668	2804	DEM3459.exe	33
PID 2668 wrote to memory of 2928	2668	DEM8B8D.exe	35
PID 2668 wrote to memory of 2928	2668	DEM8B8D.exe	35
PID 2668 wrote to memory of 2928	2668	DEM8B8D.exe	35
PID 2668 wrote to memory of 2928	2668	DEM8B8D.exe	35
PID 2928 wrote to memory of 1976	2928	DEME206.exe	38
PID 2928 wrote to memory of 1976	2928	DEME206.exe	38
PID 2928 wrote to memory of 1976	2928	DEME206.exe	38
PID 2928 wrote to memory of 1976	2928	DEME206.exe	38
PID 1976 wrote to memory of 836	1976	DEM37A4.exe	39
PID 1976 wrote to memory of 836	1976	DEM37A4.exe	39
PID 1976 wrote to memory of 836	1976	DEM37A4.exe	39
PID 1976 wrote to memory of 836	1976	DEM37A4.exe	39
PID 836 wrote to memory of 2100	836	DEM8E1C.exe	41
PID 836 wrote to memory of 2100	836	DEM8E1C.exe	41
PID 836 wrote to memory of 2100	836	DEM8E1C.exe	41
PID 836 wrote to memory of 2100	836	DEM8E1C.exe	41

C:\Users\Admin\AppData\Local\Temp\12b61965d6ce078b95fca08a12076b48.exe
"C:\Users\Admin\AppData\Local\Temp\12b61965d6ce078b95fca08a12076b48.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\DEM3459.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3459.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\DEM8B8D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8B8D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\DEME206.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME206.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\DEM37A4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM37A4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM8E1C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8E1C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\DEME485.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME485.exe"
        7⤵
        Executes dropped EXE
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8B8D.exe

Filesize
16KB

MD5
1269a0f4f261aaa3ed429f0d89294559

SHA1
5a23ec11ffb28c04110abe30bf69415b1d27c672

SHA256
752d9c0db9c02d7b66233a127cbf61d4fe5f1e3c45b0f69042d8eda5dc9a902f

SHA512
a8d983b01324c7a02489285b4b37ddac63704d8c9847e8f79416eedd6664210209f37a8e073b091b0b374646a36a52fd310add30ab8b1d2d40b4b044774681fb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3459.exe

Filesize
16KB

MD5
08a554be3dff46eac51b79071356a413

SHA1
2cb36d622d9db1cea5eead5bfd1d0ffb5b231a4a

SHA256
b3aeec2b97e3688e2ad53f685c60583f1a5f7a3640365a0a1f28b788cb449b6f

SHA512
f033f0cd87c2efa6f388adcbcb427e60e59c6391d00483e939b461347e0609ac5fb6af9a493333e9136a8c0c2c72064b18e2d711ae9a4a6099bad596b693e270

Download Submit
\Users\Admin\AppData\Local\Temp\DEM37A4.exe

Filesize
16KB

MD5
b171d69fda31a333c54bf15aa1c6e3b6

SHA1
b6adc01a1efc59cfef4f509b5d554d7053028b07

SHA256
28979493fc8866231fb1b9626c4c092544bdfc3d2e806d7706e47ee4cae3778e

SHA512
5e1fdb1320d6b34e2e515feb7610807a12223c2fbc12fbc8688b59c3c4805691e4fdc1a31383eb5b4563de4b5e3d02cb9621253bc66f355ee840c082d85b044b

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8E1C.exe

Filesize
16KB

MD5
fd344c3802c1b8288eff9e244ac46e78

SHA1
87916689c3bb7375af3bc3af2901bbef759b21e6

SHA256
4e0c8430e464528e0e2c8f867df0fb2237fe70ec32245535e78f96ab5bbcb990

SHA512
ce16344403a7d35b9b48faa25c49e17f3440fced59fc93dc564b4e138d3f92abfbd43e19809ddf4308ce297cbcc52c2480445c5a80d6194f09c7e3da2a112b2c

Download Submit
\Users\Admin\AppData\Local\Temp\DEME206.exe

Filesize
16KB

MD5
d8fba5955ec33644fda3b4e3740e416f

SHA1
6c8acf525235584be48a3d5b2c0b486b7eb49b81

SHA256
c8bca552f7268c2e905446d36a89e4051582009a45a7bfd19260b77cb061e2c1

SHA512
0960222628e02d312f0c620f4dae79219ac3f31e8cc834ca312b250441e3ef65b95e04ee89073f99746c724bc14cbfa7a7b2e8e5bd6ef3cb6307b5521f7282bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEME485.exe

Filesize
16KB

MD5
21ac36a5d7071d811cadd6df1b083a2f

SHA1
05b94e2dbb68d526d65113b700e7ff1c7dadfb6a

SHA256
976db6e94bf802c7590df383d111366a14eea54f198c2e1f43e5597de1c387fe

SHA512
81fe3023731e44687a61c0f45bd08aa28477183cf442e603fd33dfcd118b6806b05db7cd3ce1e07e0cdcb05de619d8d36d66665ce0b62c85ecc4b1a2786f1235

Download Submit

Analysis

Sharing