a2357b344bf5ca54369001b83c4341e56743d0f2a3db8feb08352a24b7f8737b

General

Target

1783155230fbf8f98fe180e34002ee3e.exe
Size

15KB
MD5

1783155230fbf8f98fe180e34002ee3e
SHA1

0374d9aaa1f584e9d14c2c054b37826b8f384d04
SHA256

a2357b344bf5ca54369001b83c4341e56743d0f2a3db8feb08352a24b7f8737b
SHA512

4c2d50ef5f0172b67b6c45c0471f085c703a4eb8b08557c3c7e7b241818487eba12bf391194c7162fbf9cf874adc2fadbad892bdbbc5fd05bcad059fddc9e50a
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvC8f:hDXWipuE+K3/SSHgxma8f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1072	DEM8768.exe
2764	DEMDCD7.exe
2036	DEM3228.exe
468	DEM8787.exe
1580	DEMDCE7.exe
1864	DEM3247.exe

Loads dropped DLL 6 IoCs

pid	Process
1984	1783155230fbf8f98fe180e34002ee3e.exe
1072	DEM8768.exe
2764	DEMDCD7.exe
2036	DEM3228.exe
468	DEM8787.exe
1580	DEMDCE7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1072	1984	1783155230fbf8f98fe180e34002ee3e.exe	32
PID 1984 wrote to memory of 1072	1984	1783155230fbf8f98fe180e34002ee3e.exe	32
PID 1984 wrote to memory of 1072	1984	1783155230fbf8f98fe180e34002ee3e.exe	32
PID 1984 wrote to memory of 1072	1984	1783155230fbf8f98fe180e34002ee3e.exe	32
PID 1072 wrote to memory of 2764	1072	DEM8768.exe	34
PID 1072 wrote to memory of 2764	1072	DEM8768.exe	34
PID 1072 wrote to memory of 2764	1072	DEM8768.exe	34
PID 1072 wrote to memory of 2764	1072	DEM8768.exe	34
PID 2764 wrote to memory of 2036	2764	DEMDCD7.exe	35
PID 2764 wrote to memory of 2036	2764	DEMDCD7.exe	35
PID 2764 wrote to memory of 2036	2764	DEMDCD7.exe	35
PID 2764 wrote to memory of 2036	2764	DEMDCD7.exe	35
PID 2036 wrote to memory of 468	2036	DEM3228.exe	37
PID 2036 wrote to memory of 468	2036	DEM3228.exe	37
PID 2036 wrote to memory of 468	2036	DEM3228.exe	37
PID 2036 wrote to memory of 468	2036	DEM3228.exe	37
PID 468 wrote to memory of 1580	468	DEM8787.exe	39
PID 468 wrote to memory of 1580	468	DEM8787.exe	39
PID 468 wrote to memory of 1580	468	DEM8787.exe	39
PID 468 wrote to memory of 1580	468	DEM8787.exe	39
PID 1580 wrote to memory of 1864	1580	DEMDCE7.exe	41
PID 1580 wrote to memory of 1864	1580	DEMDCE7.exe	41
PID 1580 wrote to memory of 1864	1580	DEMDCE7.exe	41
PID 1580 wrote to memory of 1864	1580	DEMDCE7.exe	41

C:\Users\Admin\AppData\Local\Temp\1783155230fbf8f98fe180e34002ee3e.exe
"C:\Users\Admin\AppData\Local\Temp\1783155230fbf8f98fe180e34002ee3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\DEM8768.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM8768.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\DEMDCD7.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMDCD7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\DEM3228.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM3228.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\DEM8787.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8787.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\Users\Admin\AppData\Local\Temp\DEMDCE7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMDCE7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\DEM3247.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3247.exe"
        7⤵
        Executes dropped EXE
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8768.exe

Filesize
15KB

MD5
ae27137b679ef87e81c1720a2696782c

SHA1
78a23a22d336daf3ac82401978c05ecebe4d6713

SHA256
b07d325d4689498b01083a796110813c2682bc1c769a3a3c04044223753bb310

SHA512
78b365ac6d826c2f6a44fe5bac256556b05a4df27c87e33e4b8e00006ac88be032f685cf2bb7f9e28a92cab81d1bfaa2f907fa96160920a75eb3e3e020190eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMDCD7.exe

Filesize
15KB

MD5
a2b50aacf7df1844196c27fbadc0be51

SHA1
1892c47f27e679a91f3ac12d9a1e926a5dd7fafb

SHA256
851e2a53f26cb6f44febc3ff43f7f71d94562d32a8b449a87550c74977a20d72

SHA512
973a9efd193f78a5e03607b2d864cfac88fdaee41b7e5a6c597d8f40fe82ab81b3642079688ec938fca7059a1e937a772ed141ae01c5523c0d860a5a2eece6b6

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3228.exe

Filesize
15KB

MD5
142e89d61081fcb17ba0cd36809ed69f

SHA1
857d024585c821fb20a3e0b1836bc2cc2b3b1597

SHA256
d2b63f59f799f902131626ab39265232637c49cc7eb0f29f46d1492ee60542f9

SHA512
df6f31361fe77b8af8be4de319d3ef0a90a9fe393425c8ed6727e649aee9b91210508c7deb10ce8667e878d394173695dbfa5893adb8aabd0078621da0920152

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3247.exe

Filesize
15KB

MD5
4d223332f0ea2fec8d0811d32af1f6e8

SHA1
771cb8ac31d46f2ae2727b900a890a894195bd43

SHA256
4da146616cfd9487b3026a93ad2334bf40ae4f837df4e9333b0c51bdcf1eee8c

SHA512
62df18b70aeb3bcf27c641dcd632ca8046c957bf14c8c6ff2e249cdd1fbb91756a1315ffa2797ca7025093f06b313d27912f0ef4a2cff1817de2ffdc97448c6a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8787.exe

Filesize
15KB

MD5
1f88439d2acc87c5969fdc4ac01f78e3

SHA1
78659a7d89c38960d75326237850ba97f6b31438

SHA256
92494de221995dc392a02c8e6d5f589ee58eefc5118720ea4f7a92e1e2aaf872

SHA512
f6fd936407934a6477d9472199e74dafcfcf379dd44288477a65d6d14a4b10a7cbbec79b7f868f48fae631ce06a2690ca1b789ae86d35deecdb92f7ef2b9eb98

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDCE7.exe

Filesize
15KB

MD5
11e081393b637cff31b4f98ffff8b942

SHA1
ef1281d4fce9b6f4f6c71b72c0f3b92d94504156

SHA256
2c3db85bd496cb198abf8e858809da8ddb8ea0c7640afe99912542f401676d4e

SHA512
a2c590b0ee149f69fb3c81780edc8d511c142ad8f3573e5178b94b92ac1244984d088c2003bc61aca41719edf4685b282f074f3125bb241070810fca57ed9b01

Download Submit

Analysis

Sharing