b8c7bc8df0b08116923bac779de665ec653cdf7270b3886601e79d17ba14fd64

General

Target

1ffbdf5dceb49118601fbd9b73513688.exe
Size

14KB
MD5

1ffbdf5dceb49118601fbd9b73513688
SHA1

d4f73261d3334d83abd8bb34578ddec05983fc06
SHA256

b8c7bc8df0b08116923bac779de665ec653cdf7270b3886601e79d17ba14fd64
SHA512

e12eaf534ead37a588aae8d862a9855827e501e2d4b58fa1726375abc2caf3500ce3190e842d704052b1de56710643e57d5880ac3117c74114dbbe6d46ab6ade
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhf+x9:hDXWipuE+K3/SSHgxs3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2784	DEM2FA8.exe
2708	DEM8739.exe
2916	DEMDDB2.exe
1428	DEM338E.exe
2528	DEM8A45.exe
1144	DEME080.exe

Loads dropped DLL 6 IoCs

pid	Process
3020	1ffbdf5dceb49118601fbd9b73513688.exe
2784	DEM2FA8.exe
2708	DEM8739.exe
2916	DEMDDB2.exe
1428	DEM338E.exe
2528	DEM8A45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2784	3020	1ffbdf5dceb49118601fbd9b73513688.exe	29
PID 3020 wrote to memory of 2784	3020	1ffbdf5dceb49118601fbd9b73513688.exe	29
PID 3020 wrote to memory of 2784	3020	1ffbdf5dceb49118601fbd9b73513688.exe	29
PID 3020 wrote to memory of 2784	3020	1ffbdf5dceb49118601fbd9b73513688.exe	29
PID 2784 wrote to memory of 2708	2784	DEM2FA8.exe	33
PID 2784 wrote to memory of 2708	2784	DEM2FA8.exe	33
PID 2784 wrote to memory of 2708	2784	DEM2FA8.exe	33
PID 2784 wrote to memory of 2708	2784	DEM2FA8.exe	33
PID 2708 wrote to memory of 2916	2708	DEM8739.exe	35
PID 2708 wrote to memory of 2916	2708	DEM8739.exe	35
PID 2708 wrote to memory of 2916	2708	DEM8739.exe	35
PID 2708 wrote to memory of 2916	2708	DEM8739.exe	35
PID 2916 wrote to memory of 1428	2916	DEMDDB2.exe	37
PID 2916 wrote to memory of 1428	2916	DEMDDB2.exe	37
PID 2916 wrote to memory of 1428	2916	DEMDDB2.exe	37
PID 2916 wrote to memory of 1428	2916	DEMDDB2.exe	37
PID 1428 wrote to memory of 2528	1428	DEM338E.exe	40
PID 1428 wrote to memory of 2528	1428	DEM338E.exe	40
PID 1428 wrote to memory of 2528	1428	DEM338E.exe	40
PID 1428 wrote to memory of 2528	1428	DEM338E.exe	40
PID 2528 wrote to memory of 1144	2528	DEM8A45.exe	41
PID 2528 wrote to memory of 1144	2528	DEM8A45.exe	41
PID 2528 wrote to memory of 1144	2528	DEM8A45.exe	41
PID 2528 wrote to memory of 1144	2528	DEM8A45.exe	41

C:\Users\Admin\AppData\Local\Temp\1ffbdf5dceb49118601fbd9b73513688.exe
"C:\Users\Admin\AppData\Local\Temp\1ffbdf5dceb49118601fbd9b73513688.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\DEM2FA8.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM2FA8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\DEM8739.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8739.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\DEMDDB2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDDB2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\DEM338E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM338E.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Users\Admin\AppData\Local\Temp\DEM8A45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM8A45.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\DEME080.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME080.exe"
        7⤵
        Executes dropped EXE
        
        PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8739.exe

Filesize
14KB

MD5
218bd2d8aea54ec30a8413adb213a89e

SHA1
e952ffe3e1955d2ce7be77b60e71386dec357538

SHA256
e241c46c9e4e79e9911ee34fa6a7ec39769ea3cf2e0fdf81a51683aebb30756f

SHA512
13ae49c4ed5079c3b1bf25946f39d7a194c0cbfe82221b290a6c8072cbb7bfe829db42fde59b649ba76614cdd809438d2ec01544e54af20423b280baa3afd3bd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM2FA8.exe

Filesize
14KB

MD5
9500436f7a2cbc327778e8709e838d05

SHA1
2d2bd304ac7699d0ccb36955260dcb5dba9a6e9a

SHA256
721d3f4b47d70dbb3c87a97c817b92b23d6c62d06bb34d2f85002cec5bb205a9

SHA512
78c06997ed5d7a10b2a03771dec89779a6bcdfc815a71c266bbd35dfe9c82227a5ed4f10f5a81a93a86e178d27ea8c51f7aa53d616975f1d269f0c0482e11f61

Download Submit
\Users\Admin\AppData\Local\Temp\DEM338E.exe

Filesize
14KB

MD5
a5aea0b97ad66a7427ce231f0fc41f9b

SHA1
eef8f22fb74d06aec9214a947fc3fa09543412db

SHA256
a47e3ff312940768df924553dce999b3cfeb33c6f04e7feafbfea9b0238c94eb

SHA512
8dbb2e3e7cf15f4dd26ed8ef19a1eb04cb4afa0d5ca0f13a5b79eb166f1ca978a88df00896be8e6abfd52da65497b866d7b3187ff826957fd02212a171482afc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM8A45.exe

Filesize
14KB

MD5
eff8c407d5210ea55b75c5ac1d8b4f19

SHA1
af2211896575ef94d1ce7a25d384c8be79f0d497

SHA256
5da9f715d8b7e2679ca988bafb344e3dabcb7114a4b27191b8e024aa2eefc218

SHA512
d238902f58bdc574c723173a14b7ba58c42e5e7c1c3c862bef962d54c3de1504f1c4837a82c225693e189f9f242658a896c0cf3b4c2b8a3a6f4e45c288ce0e88

Download Submit
\Users\Admin\AppData\Local\Temp\DEMDDB2.exe

Filesize
14KB

MD5
1604fcbf0052634e1129ebfb58e50a8b

SHA1
c7ec5396b714f9080844e0de0df2a2216ed775e9

SHA256
d8117a3cc6a28aafd739eb95b3ea50425c6eda2978611a5d2889a282fc7f3352

SHA512
79b4660711f8c578eac735eac6fd1bd997631b76defe5f88e376d63f9ffbce9237073a0e8eac3c9f5e755d7a9d8f0c18446ede1673c736004b30eb3aece919c2

Download Submit
\Users\Admin\AppData\Local\Temp\DEME080.exe

Filesize
14KB

MD5
6a65855921280f24a31ff78ed3e0cc05

SHA1
3459dbd18e03a6bfd718ddb2a5d387ce3bf8ef70

SHA256
63840a7fe0f6f3784999c0f7d2304fd26dea0b80b9fd53d9118cbbcd1bc462b1

SHA512
7d8064364d25cd35a50ebcf79bd78fa20278de88c630fd5de0c9baebf13a95fec1e7b727563e5b7c2b4cba135d3dc2f5877f82d38de932b2c4130ee8e524a5bb

Download Submit

Analysis

Sharing