2f0b4ddd3129b0a3f311dc17f26f357d55774be4698f8d343dceb4dbda1dd104

General

Target

1505240b15d33ac38ae105c946ef9779.exe
Size

15KB
MD5

1505240b15d33ac38ae105c946ef9779
SHA1

875a637f68acd73cde080872766e8dc4a8b3b9d1
SHA256

2f0b4ddd3129b0a3f311dc17f26f357d55774be4698f8d343dceb4dbda1dd104
SHA512

25abaed2d393b136800d0746c72cfac2ccf231c73db609883f69bcc824ead7a805709bc0f53493dccfeb1ac1c2f135d1979276733fa5bdf011a77bab5266b2d6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcE:hDXWipuE+K3/SSHgxmkE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2800	DEM92AE.exe
2592	DEME9A4.exe
1924	DEM40A8.exe
1440	DEM9750.exe
2276	DEMED2C.exe
1748	DEM4412.exe

Loads dropped DLL 6 IoCs

pid	Process
2912	1505240b15d33ac38ae105c946ef9779.exe
2800	DEM92AE.exe
2592	DEME9A4.exe
1924	DEM40A8.exe
1440	DEM9750.exe
2276	DEMED2C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2800	2912	1505240b15d33ac38ae105c946ef9779.exe	31
PID 2912 wrote to memory of 2800	2912	1505240b15d33ac38ae105c946ef9779.exe	31
PID 2912 wrote to memory of 2800	2912	1505240b15d33ac38ae105c946ef9779.exe	31
PID 2912 wrote to memory of 2800	2912	1505240b15d33ac38ae105c946ef9779.exe	31
PID 2800 wrote to memory of 2592	2800	DEM92AE.exe	33
PID 2800 wrote to memory of 2592	2800	DEM92AE.exe	33
PID 2800 wrote to memory of 2592	2800	DEM92AE.exe	33
PID 2800 wrote to memory of 2592	2800	DEM92AE.exe	33
PID 2592 wrote to memory of 1924	2592	DEME9A4.exe	35
PID 2592 wrote to memory of 1924	2592	DEME9A4.exe	35
PID 2592 wrote to memory of 1924	2592	DEME9A4.exe	35
PID 2592 wrote to memory of 1924	2592	DEME9A4.exe	35
PID 1924 wrote to memory of 1440	1924	DEM40A8.exe	37
PID 1924 wrote to memory of 1440	1924	DEM40A8.exe	37
PID 1924 wrote to memory of 1440	1924	DEM40A8.exe	37
PID 1924 wrote to memory of 1440	1924	DEM40A8.exe	37
PID 1440 wrote to memory of 2276	1440	DEM9750.exe	39
PID 1440 wrote to memory of 2276	1440	DEM9750.exe	39
PID 1440 wrote to memory of 2276	1440	DEM9750.exe	39
PID 1440 wrote to memory of 2276	1440	DEM9750.exe	39
PID 2276 wrote to memory of 1748	2276	DEMED2C.exe	41
PID 2276 wrote to memory of 1748	2276	DEMED2C.exe	41
PID 2276 wrote to memory of 1748	2276	DEMED2C.exe	41
PID 2276 wrote to memory of 1748	2276	DEMED2C.exe	41

C:\Users\Admin\AppData\Local\Temp\1505240b15d33ac38ae105c946ef9779.exe
"C:\Users\Admin\AppData\Local\Temp\1505240b15d33ac38ae105c946ef9779.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\DEM92AE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM92AE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe
    "C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\DEM40A8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM40A8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\DEM9750.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9750.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\DEMED2C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMED2C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\DEM4412.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4412.exe"
        7⤵
        Executes dropped EXE
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEME9A4.exe

Filesize
15KB

MD5
d5ff832e16d66eb0283f75d2a974b317

SHA1
d2cadf5c52bf51a5c705a4c29ca2f97b7b3e49ff

SHA256
e25961494a9f374cd73a7ffd6b68a6a003ba3fdb18219dac15bcad201a766775

SHA512
7015b17cb28d6a92a28aafebb7be43902e8f79d1f5e32bd3398d306a6a6928d8f361efe84c546e697e94e5a65067140226a0ce1b1302ce6d15f97e637783a47c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM40A8.exe

Filesize
15KB

MD5
ad2c614145980ecdcc89eb7a3402ec7b

SHA1
4374df46b6e63a48ea92519f8ddff42be042209a

SHA256
77fa5de5c003e791a45430b1e081beb547ea9993fcff87ebcb6ae7c98b0e283e

SHA512
9e3eadda6d8adac07c1f0ce9ec952caa0cce2529229b5919be672de49a23c03467e5d38f2e606d6be0cea66c5c72da5a75c55308246b09e620856346f549ce68

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4412.exe

Filesize
15KB

MD5
bf1c3e768d44079a7ed0a518110b3234

SHA1
20ff095473a15be4567e87287666eaa6a2d6dde7

SHA256
a27b014aab86d7928f84c17b9b70e13d7e5165dc6d87123ea8e71bef98618d38

SHA512
3c1add713d49368c22479e54a91943f09421a7a2bce1f678dbf2d64453e179e49d19c069d2e7fcb004fe392d5121b9163cc52dd2822c564e007f1d8b31d95257

Download Submit
\Users\Admin\AppData\Local\Temp\DEM92AE.exe

Filesize
15KB

MD5
8e1bd73d75da44e1efef0378ce5a846b

SHA1
c3ae198ffaaa001e7203bb70d0b74efc589cb83f

SHA256
4b5efa7f6f2be1fd31ce5962cede33646888b2916543fa16ca03015c937a7574

SHA512
1cf2b8d57f704f7c6eb6e93145d1aa05369e08292ed8487a7ea3428f146a9c2b8e246b00749e94e0fd58c46f178fe38e6a5785c0a768945d6d267aae3d4a991a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9750.exe

Filesize
15KB

MD5
463268ba5e6e0fdfd8f5c8a0afc3238e

SHA1
b8cf700488a76524f7042e56373dbfe7e0c428f5

SHA256
364b9b64832ea08b97fb633819de5be966e2b6521a806073c53729e6abc56f75

SHA512
1766280632d403f3b11f914513b98b1f81849f033ce1ee637e1b37c838589ab4f79d632c4d04d130b8c8b7f71bbc6069313fce988c5e992afd856a2da473c90c

Download Submit
\Users\Admin\AppData\Local\Temp\DEMED2C.exe

Filesize
15KB

MD5
39cbeecaebfb3f14b365d3a1234fd513

SHA1
d63ff9f2c5cf71f7bcfe6bd685cd34bc5209d4c3

SHA256
4c5ca6c2956bfb9339cdfe40000599ac0de7ee145700610bd580e1af6ce9553a

SHA512
93dfbe01d9aafda3452fa16f8c6cb910c7de0c6122eb117dece570d05225df333b35752a6c30e278079532580711a2130523daab4847738e5bf9bc9eb040e81b

Download Submit

Analysis

Sharing