2c4ba44d52a53e4d92870785dbf7af5acb3a75eba577186a2fd53c2a3d295708

General

Target

21b7eaf0e158a7fc7bae28673213c543.exe
Size

15KB
MD5

21b7eaf0e158a7fc7bae28673213c543
SHA1

f4fd3ab5c763c2fd72dcc4b89c2672dc157d2482
SHA256

2c4ba44d52a53e4d92870785dbf7af5acb3a75eba577186a2fd53c2a3d295708
SHA512

1b3eada18f21206a150e0e76282099ee519d2466baa3627e9daa4df3800ec00b63ad6ca1053f55cd67b79a308ed74f63290b6d1d95e7bccfddd75f6c9d1ae0a6
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMxXE:hDXWipuE+K3/SSHgxmHtE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2688	DEMB145.exe
596	DEM9B1.exe
2916	DEM600B.exe
1336	DEMAE1A.exe
2028	DEM406.exe
2668	DEM55ED.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	21b7eaf0e158a7fc7bae28673213c543.exe
2688	DEMB145.exe
596	DEM9B1.exe
2916	DEM600B.exe
1336	DEMAE1A.exe
2028	DEM406.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2688	2720	21b7eaf0e158a7fc7bae28673213c543.exe	30
PID 2720 wrote to memory of 2688	2720	21b7eaf0e158a7fc7bae28673213c543.exe	30
PID 2720 wrote to memory of 2688	2720	21b7eaf0e158a7fc7bae28673213c543.exe	30
PID 2720 wrote to memory of 2688	2720	21b7eaf0e158a7fc7bae28673213c543.exe	30
PID 2688 wrote to memory of 596	2688	DEMB145.exe	32
PID 2688 wrote to memory of 596	2688	DEMB145.exe	32
PID 2688 wrote to memory of 596	2688	DEMB145.exe	32
PID 2688 wrote to memory of 596	2688	DEMB145.exe	32
PID 596 wrote to memory of 2916	596	DEM9B1.exe	34
PID 596 wrote to memory of 2916	596	DEM9B1.exe	34
PID 596 wrote to memory of 2916	596	DEM9B1.exe	34
PID 596 wrote to memory of 2916	596	DEM9B1.exe	34
PID 2916 wrote to memory of 1336	2916	DEM600B.exe	36
PID 2916 wrote to memory of 1336	2916	DEM600B.exe	36
PID 2916 wrote to memory of 1336	2916	DEM600B.exe	36
PID 2916 wrote to memory of 1336	2916	DEM600B.exe	36
PID 1336 wrote to memory of 2028	1336	DEMAE1A.exe	38
PID 1336 wrote to memory of 2028	1336	DEMAE1A.exe	38
PID 1336 wrote to memory of 2028	1336	DEMAE1A.exe	38
PID 1336 wrote to memory of 2028	1336	DEMAE1A.exe	38
PID 2028 wrote to memory of 2668	2028	DEM406.exe	40
PID 2028 wrote to memory of 2668	2028	DEM406.exe	40
PID 2028 wrote to memory of 2668	2028	DEM406.exe	40
PID 2028 wrote to memory of 2668	2028	DEM406.exe	40

C:\Users\Admin\AppData\Local\Temp\21b7eaf0e158a7fc7bae28673213c543.exe
"C:\Users\Admin\AppData\Local\Temp\21b7eaf0e158a7fc7bae28673213c543.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\DEMB145.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMB145.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\DEM9B1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9B1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\DEM600B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM600B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE1A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Users\Admin\AppData\Local\Temp\DEM406.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM406.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\DEM55ED.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM55ED.exe"
        7⤵
        Executes dropped EXE
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM600B.exe

Filesize
15KB

MD5
77b0e3d375149ca8b2b9dc309a49aa37

SHA1
80e31e1819a8e7e5e296a16df4f8961da75031a0

SHA256
fa60ff6abd8354e598f6e797b47ee0a6c070aa78d85de123a37fdbe85b0f9b7e

SHA512
73fa2d4be9bebb2d05414915bdeeb4395c68eee9d1c14c71a6e8bd11c1227e2cc25a58e9c92ab1b0f5de67bfb6620b783bc49c3a1aa5d8660c140394c994d36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9B1.exe

Filesize
15KB

MD5
ecc005a7dade45be44b8df30c359c19e

SHA1
4b92c5d28e0319f4ac71c64211c81a818004a98e

SHA256
93c81d28fc90d70e726c9605590af221ed7759ca4d0f9cdca0b336a67ff9c5c1

SHA512
1de8df9af57cd8e5c581d2565ff60c734e454aafc70dd633fcc1121ef0e58cef34860f8e4f7bb24d4057ae643e209a175e68a704f837d6614a237e917b17fc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB145.exe

Filesize
15KB

MD5
98f7835b35c00f020e019ab896c39f6a

SHA1
e6586ca6e5b1d5d33a0f96e3628be46845903c2b

SHA256
6706a906a309affd3ef44382c1110c8fd13897e34ce861ca66e5690d8da08aad

SHA512
5e1fb652f468fb8595aa4d00338b87fd290188d13346e11c8054ac38493b6f95b8b9601f65fe476dc2b66e141ccc3d0e93a4aa3d176b9f916dd6d2042b3fc344

Download Submit
\Users\Admin\AppData\Local\Temp\DEM406.exe

Filesize
16KB

MD5
d1109e9702bd49936a063fcc0e6e8fb9

SHA1
d25f8774757da161aecdb2a58aa858cd5559a787

SHA256
e49107e4751ef4720a1ea896418f98bf2ab4a46c42405c8e3becad822abe715e

SHA512
16610a6d36692b65d6a70b08fcd902c68d81b7fe22c53cbfe200ac0658c55abc1d5ef2f16ca85e851f3bff3183888a50c4241da6652f6cd09f14aae5a64a284c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM55ED.exe

Filesize
16KB

MD5
209c3388e502646a4e3439fb5e0bbd69

SHA1
fe5372edaa616bdce38e7223704bb9f352d802db

SHA256
dcd62784d2f1d3d40e933b47880ee1c7d16624d30f9f51bd0ed839313bc939cf

SHA512
8256387ec96aa5b72531bc581bab966bbf5c190cc980a24033f255d4c6d51140fc4b9128471e59924eaf8fb1734604472592dec63cc4acc4999d8a1361556e04

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAE1A.exe

Filesize
16KB

MD5
453ac067fddfc9c1b90beba9503ad8d9

SHA1
3a11d222d3f5d87c4bb2437518478e4ff99aef2b

SHA256
f48c19feac863ddf34b877aad33a688079e79112e2001c1e728cff2a212e3082

SHA512
e08479f327a3c06e1003c2fa2656b44a392137947b383630a1c646276a689b6fdf8f4f954748b78f167b474f123012cbd07f3e282112263491ec6e13bad6698e

Download Submit

Analysis

Sharing