adad22950279bc386b53bcc03aa9c5427ccd473f0401bc0fa926785f09ddd74d

General

Target

1fd17746ba23f7c7102129cbe76efc3a.exe
Size

16KB
MD5

1fd17746ba23f7c7102129cbe76efc3a
SHA1

93713d3e5d85ce301493a25f4bdf9ca3097b6b51
SHA256

adad22950279bc386b53bcc03aa9c5427ccd473f0401bc0fa926785f09ddd74d
SHA512

dc72a88657a6ac1f49d15f63a54a6b5170f5413eebdf95a4139dd65c50f36e8cab770c8c1349210373ae1837eb1a774768e0837ac39e0433a1eb8e2f4289381f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY+Sm0:hDXWipuE+K3/SSHgxm+L0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3048	DEM37D2.exe
2764	DEM8EA9.exe
1168	DEME540.exe
1988	DEM3ADE.exe
308	DEM9147.exe
2860	DEME743.exe

Loads dropped DLL 6 IoCs

pid	Process
1420	1fd17746ba23f7c7102129cbe76efc3a.exe
3048	DEM37D2.exe
2764	DEM8EA9.exe
1168	DEME540.exe
1988	DEM3ADE.exe
308	DEM9147.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 3048	1420	1fd17746ba23f7c7102129cbe76efc3a.exe	29
PID 1420 wrote to memory of 3048	1420	1fd17746ba23f7c7102129cbe76efc3a.exe	29
PID 1420 wrote to memory of 3048	1420	1fd17746ba23f7c7102129cbe76efc3a.exe	29
PID 1420 wrote to memory of 3048	1420	1fd17746ba23f7c7102129cbe76efc3a.exe	29
PID 3048 wrote to memory of 2764	3048	DEM37D2.exe	33
PID 3048 wrote to memory of 2764	3048	DEM37D2.exe	33
PID 3048 wrote to memory of 2764	3048	DEM37D2.exe	33
PID 3048 wrote to memory of 2764	3048	DEM37D2.exe	33
PID 2764 wrote to memory of 1168	2764	DEM8EA9.exe	35
PID 2764 wrote to memory of 1168	2764	DEM8EA9.exe	35
PID 2764 wrote to memory of 1168	2764	DEM8EA9.exe	35
PID 2764 wrote to memory of 1168	2764	DEM8EA9.exe	35
PID 1168 wrote to memory of 1988	1168	DEME540.exe	37
PID 1168 wrote to memory of 1988	1168	DEME540.exe	37
PID 1168 wrote to memory of 1988	1168	DEME540.exe	37
PID 1168 wrote to memory of 1988	1168	DEME540.exe	37
PID 1988 wrote to memory of 308	1988	DEM3ADE.exe	39
PID 1988 wrote to memory of 308	1988	DEM3ADE.exe	39
PID 1988 wrote to memory of 308	1988	DEM3ADE.exe	39
PID 1988 wrote to memory of 308	1988	DEM3ADE.exe	39
PID 308 wrote to memory of 2860	308	DEM9147.exe	41
PID 308 wrote to memory of 2860	308	DEM9147.exe	41
PID 308 wrote to memory of 2860	308	DEM9147.exe	41
PID 308 wrote to memory of 2860	308	DEM9147.exe	41

C:\Users\Admin\AppData\Local\Temp\1fd17746ba23f7c7102129cbe76efc3a.exe
"C:\Users\Admin\AppData\Local\Temp\1fd17746ba23f7c7102129cbe76efc3a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\DEM37D2.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM37D2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\DEM8EA9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8EA9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\DEME540.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME540.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\DEM3ADE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3ADE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\DEM9147.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9147.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\DEME743.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME743.exe"
        7⤵
        Executes dropped EXE
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8EA9.exe

Filesize
16KB

MD5
5fcd826c4f5ce379c7eef273bc79bd26

SHA1
c4000efe087041f2de99edc01e957700ea4effb8

SHA256
4ea29d965a995a4c70199d806289597cf5c9dab9597e6356a5c75a1da964c83a

SHA512
ebcab2aa36495e522ce9df2a0da2513bafa71d83ecb618b7798faebdc46e7c7070296aa3428d6a1abe6bbe6617bbd7aebe405af347bb36764016f18fc9f7a94a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM37D2.exe

Filesize
16KB

MD5
eb6d29989fb897328a29c35b4b7fe47c

SHA1
4889856aa07aea4c31a07f39a9a8697715e02396

SHA256
d5b4f280f6ae32c04aa7393d77dad0d2df9a46c5c5a36928730df2cb76a1a011

SHA512
d68b0b47ee426092f0ef3e8a42bde29e20a437a6dcf41cf3c2956c4cda5ae396ffbb4fce0f57d930762ac83780c8cc05e5e4ff5f0e2605565651db7c3e6caa58

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3ADE.exe

Filesize
16KB

MD5
f54367280667faea0650a3505d99d0bc

SHA1
0a126cc8e3602567c356c4430429ca6005e53539

SHA256
9ff7b9ea509727070fa4edbebd6be4a8cb492e104365af5fdd66ff4c1caa317b

SHA512
f14e091c62c3e40112545b6839102072fa723dcf8f4134a151acddc42413bcc6a9d6100ec19cf06118ba49fa3068c0ddfa8acfb804845d785a901e6095c1742a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9147.exe

Filesize
16KB

MD5
b42f686ae5a68ff6784cf3aae5676bd0

SHA1
57e92d71bfc2bd48a5630d403df16fcfc9df1705

SHA256
676bb94c98b8d70765ca0a92b857c70858a48528f674105f61a42e082a689f20

SHA512
74c8c056aac2c23515ab3f50a1be3b06df25a730a6eb9a7cf401e75cf8cf0a3d26326d1ffaca57a32bebe277c20a56e5fb65239eea4f4582b0e6a666ac4200be

Download Submit
\Users\Admin\AppData\Local\Temp\DEME540.exe

Filesize
16KB

MD5
5597cee560825e7240e37c6b06c82690

SHA1
2ed371f291b5482fbdac0fa416c26bb09a9a4223

SHA256
b7edf1024b059199ff2385e4bcb8a345384e43526b579114461d8b71bc458b09

SHA512
e5a400f9da259141bd4cb36011b4254d13731cd4a58e97439c490c42c126ddf51042a1c85ca6b2d85f0034ee67b86f3ea9692df832e02197e60cffd15979475c

Download Submit
\Users\Admin\AppData\Local\Temp\DEME743.exe

Filesize
16KB

MD5
d752d953f7bff8d9b8db1369395c35b7

SHA1
176feb97a7ce7673d824f34d0c8cd03ed385ad56

SHA256
4abd105e374ef3dc79adfe9ca6338e01f8ff3671bbcfad0a6e64ee2ce5ddaf66

SHA512
49cf8a0a545fe21fafa83c8d94d51581187f0ffd49947f93b0148c53fcab78459d897e89a9318c669cd14126b42fa27c71e19fc299b24fec294e6893435dc721

Download Submit

Analysis

Sharing