a129ec1c3dec18557967b4e69fefb7d55a12a65ebac2b79b94dfb56f4d23a4d5

General

Target

17060da238ae60ba0abd4c79fab1a49a.exe
Size

14KB
MD5

17060da238ae60ba0abd4c79fab1a49a
SHA1

382576075e0f63b380385121843a504c69fa927e
SHA256

a129ec1c3dec18557967b4e69fefb7d55a12a65ebac2b79b94dfb56f4d23a4d5
SHA512

edb426e7782671c911e99a6c72462069717269be45cb5abf8ff7e0cc3260b772eb3d746e33ec38c1b71a84fb58313b4f9fe5541eb2732a36b690b62ef433366b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhvFBP:hDXWipuE+K3/SSHgxlFBP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2640	DEM1D7F.exe
2664	DEM732D.exe
2636	DEMC83F.exe
1616	DEM1D60.exe
2896	DEM7272.exe
764	DEMC7D1.exe

Loads dropped DLL 6 IoCs

pid	Process
1708	17060da238ae60ba0abd4c79fab1a49a.exe
2640	DEM1D7F.exe
2664	DEM732D.exe
2636	DEMC83F.exe
1616	DEM1D60.exe
2896	DEM7272.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2640	1708	17060da238ae60ba0abd4c79fab1a49a.exe	29
PID 1708 wrote to memory of 2640	1708	17060da238ae60ba0abd4c79fab1a49a.exe	29
PID 1708 wrote to memory of 2640	1708	17060da238ae60ba0abd4c79fab1a49a.exe	29
PID 1708 wrote to memory of 2640	1708	17060da238ae60ba0abd4c79fab1a49a.exe	29
PID 2640 wrote to memory of 2664	2640	DEM1D7F.exe	31
PID 2640 wrote to memory of 2664	2640	DEM1D7F.exe	31
PID 2640 wrote to memory of 2664	2640	DEM1D7F.exe	31
PID 2640 wrote to memory of 2664	2640	DEM1D7F.exe	31
PID 2664 wrote to memory of 2636	2664	DEM732D.exe	35
PID 2664 wrote to memory of 2636	2664	DEM732D.exe	35
PID 2664 wrote to memory of 2636	2664	DEM732D.exe	35
PID 2664 wrote to memory of 2636	2664	DEM732D.exe	35
PID 2636 wrote to memory of 1616	2636	DEMC83F.exe	37
PID 2636 wrote to memory of 1616	2636	DEMC83F.exe	37
PID 2636 wrote to memory of 1616	2636	DEMC83F.exe	37
PID 2636 wrote to memory of 1616	2636	DEMC83F.exe	37
PID 1616 wrote to memory of 2896	1616	DEM1D60.exe	39
PID 1616 wrote to memory of 2896	1616	DEM1D60.exe	39
PID 1616 wrote to memory of 2896	1616	DEM1D60.exe	39
PID 1616 wrote to memory of 2896	1616	DEM1D60.exe	39
PID 2896 wrote to memory of 764	2896	DEM7272.exe	41
PID 2896 wrote to memory of 764	2896	DEM7272.exe	41
PID 2896 wrote to memory of 764	2896	DEM7272.exe	41
PID 2896 wrote to memory of 764	2896	DEM7272.exe	41

C:\Users\Admin\AppData\Local\Temp\17060da238ae60ba0abd4c79fab1a49a.exe
"C:\Users\Admin\AppData\Local\Temp\17060da238ae60ba0abd4c79fab1a49a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\DEM1D7F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1D7F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\DEM732D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM732D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\DEMC83F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC83F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\DEM1D60.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1D60.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\DEM7272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7272.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\DEMC7D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC7D1.exe"
        7⤵
        Executes dropped EXE
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1D7F.exe

Filesize
14KB

MD5
41696077fc88bad3450a54776f2e23ee

SHA1
779bf9d41a7af0f8226c05e917b5a1672f16dcbf

SHA256
f6877d9a38a4b7fc0a6eee3f448b1faf1033b0ea1d13a42d53a7157f8e32c461

SHA512
bb72ed384de815e80200cfee01657751ec01b0c2db6300ea9ff02b6823815e854f2e61966e854376fac70d33294f4ace3f8ed900e69629fa8aee535cf2faf5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM732D.exe

Filesize
14KB

MD5
6a4a5478d1287e050d3d8107961f9b0f

SHA1
c6a87776e12be1b3612d359624913b78122012ea

SHA256
19bb5180f6319629ad0ba51d6e0d6f45cba93d0d5d7d363cd44f7bbc9295a452

SHA512
ae7c235084a738def982e0495c40e10b2c3f4034b6c3605214d8c6de9a59857efad281e1e37ed0193b18f2f94006dc6205ec67c900f4d762c515cc83276eb92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC7D1.exe

Filesize
14KB

MD5
63315678d9181eaea65f8ddc635951d5

SHA1
d8555dfec3ae6ae857afdee9d0cce1cda575fe9b

SHA256
ece7dc3d55e296d6bf15a29ea0b12d9af0df32a0326e7b3c5a16d59d33c57a0a

SHA512
0091a3ca1d9948ad4897ea2491764c57a4d0cc7de7dd04d448185cc8b7ae95a4dd73a92dd7aff94915283d360fe54b2ca4555e03dd2fbe232a269968ebd01856

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1D60.exe

Filesize
14KB

MD5
c1a44d1a1c488980d0ef013b83fc0b42

SHA1
6bc4fecfd88c5fdb8adb42bd658ee83aa70b7c7c

SHA256
47a3e1fe0826652fcc8dbbe0e39b3c9567c394b547c217699fa9a381bf18e3c0

SHA512
f5a037969b2eadd8c5fb56e13bbf88b9bcbc9069b9fa02eb3218fa4489c72af6a842197c2e584f990e8376c2c22c138b5d0483d363b0b3e7a3f853aeb60030fe

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7272.exe

Filesize
14KB

MD5
5f6c1d7f01d0699fc5493f7d48dbac60

SHA1
9e1d8bdba3eff5dede52dbfa47bff31ea6b15a38

SHA256
d893946444f9a06366f3a502bbbaebb05abd34d4f85e1e208cb3e13aa483ae84

SHA512
d19da93b7da6f779bd5edf8e638f44c92efe64257e63a660a6a98971e63fc816170a3bfc2f785a83f530abd781bc5c077c5cbdeb5ed2bed828379a54cf821bd2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC83F.exe

Filesize
14KB

MD5
2448b20ebf9d04c312221b4c5192af0d

SHA1
33ace46d896109fb79605cbd1df103cc3cdba645

SHA256
7ae6fa3267b6645071afc1b3bbf1f4a6ce908c6ef8d634f83dc34244afde3e27

SHA512
58771ebb05680d1346e8a7b4bc25536c82cd63ceb3a8000b62e6fab1f791140baaf405c4a841b687095397331dcfd039a6fe74a9d13fcc65ccf193f761f5cee8

Download Submit

Analysis

Sharing