f4d1c6004fe8d0acd4a9c2ef46eb188f5e4b75e62912300b28b1a10ce9dcba1d

General

Target

38f300864535cdb3efe771a07a0954ae.exe
Size

14KB
MD5

38f300864535cdb3efe771a07a0954ae
SHA1

a042f150205da4455925e1f9d655e25d54955f0c
SHA256

f4d1c6004fe8d0acd4a9c2ef46eb188f5e4b75e62912300b28b1a10ce9dcba1d
SHA512

6a92523af48fbf85c46e3f92231d5b85a2aedfc4b3f006c9c98a73ed2a863231b587d2754da3f84285702b0caa360af6552af335c2b36402dbad0da2af3dcef0
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhOOhCO:hDXWipuE+K3/SSHgxthf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2792	DEM3DFA.exe
2516	DEM950F.exe
2932	DEMEC04.exe
1784	DEM42DA.exe
2804	DEM981B.exe
2084	DEMEE84.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	38f300864535cdb3efe771a07a0954ae.exe
2792	DEM3DFA.exe
2516	DEM950F.exe
2932	DEMEC04.exe
1784	DEM42DA.exe
2804	DEM981B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2792	2368	38f300864535cdb3efe771a07a0954ae.exe	29
PID 2368 wrote to memory of 2792	2368	38f300864535cdb3efe771a07a0954ae.exe	29
PID 2368 wrote to memory of 2792	2368	38f300864535cdb3efe771a07a0954ae.exe	29
PID 2368 wrote to memory of 2792	2368	38f300864535cdb3efe771a07a0954ae.exe	29
PID 2792 wrote to memory of 2516	2792	DEM3DFA.exe	33
PID 2792 wrote to memory of 2516	2792	DEM3DFA.exe	33
PID 2792 wrote to memory of 2516	2792	DEM3DFA.exe	33
PID 2792 wrote to memory of 2516	2792	DEM3DFA.exe	33
PID 2516 wrote to memory of 2932	2516	DEM950F.exe	35
PID 2516 wrote to memory of 2932	2516	DEM950F.exe	35
PID 2516 wrote to memory of 2932	2516	DEM950F.exe	35
PID 2516 wrote to memory of 2932	2516	DEM950F.exe	35
PID 2932 wrote to memory of 1784	2932	DEMEC04.exe	38
PID 2932 wrote to memory of 1784	2932	DEMEC04.exe	38
PID 2932 wrote to memory of 1784	2932	DEMEC04.exe	38
PID 2932 wrote to memory of 1784	2932	DEMEC04.exe	38
PID 1784 wrote to memory of 2804	1784	DEM42DA.exe	39
PID 1784 wrote to memory of 2804	1784	DEM42DA.exe	39
PID 1784 wrote to memory of 2804	1784	DEM42DA.exe	39
PID 1784 wrote to memory of 2804	1784	DEM42DA.exe	39
PID 2804 wrote to memory of 2084	2804	DEM981B.exe	41
PID 2804 wrote to memory of 2084	2804	DEM981B.exe	41
PID 2804 wrote to memory of 2084	2804	DEM981B.exe	41
PID 2804 wrote to memory of 2084	2804	DEM981B.exe	41

C:\Users\Admin\AppData\Local\Temp\38f300864535cdb3efe771a07a0954ae.exe
"C:\Users\Admin\AppData\Local\Temp\38f300864535cdb3efe771a07a0954ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\DEM3DFA.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3DFA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\DEM950F.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM950F.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\DEMEC04.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEC04.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\DEM42DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM42DA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\DEM981B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM981B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\DEMEE84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMEE84.exe"
        7⤵
        Executes dropped EXE
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM42DA.exe

Filesize
14KB

MD5
86ca13e8087c4e06dfec672cebfe30bb

SHA1
8c3f8cba92fe4c3dde4cda0c1db195edd9aa717d

SHA256
849a8a9a52e0e7cb86a53ddeb1a4e62a74f045107d031ee7d28bd8d730ad205d

SHA512
8af950a4db018e22351b2083ced4559fcd65e2d93b2220613629f37cc0a888f9330e19bbc0b4e74004159f0e15bc49422dbe44ef37ab6694ceebdfa9f8858416

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM950F.exe

Filesize
14KB

MD5
8825ee8db664fe9c64711365abe957e1

SHA1
9f2e9d18e682ed13e3ab04c7ffa167a95e46fd80

SHA256
b4f539c8f243e004028ce70de517fba0c682493c075bbf009d64d01e8273374b

SHA512
71c628f868da7f4c912e2d6f5d104ceb7e2e898d9927ab4c868437d21633947e86e232385675f094897622668b571619f78aadc39e314ff8cd685b0c5c15ef45

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3DFA.exe

Filesize
14KB

MD5
80592acac48619d870851db5787d453a

SHA1
35b062c23ce4f6d0109e20dbfb607e7148ddf2f3

SHA256
b0fdbfa8fa012447c39292c4b97180d0a72fe0585d3a07ca7edcd01abcbb20ef

SHA512
cbac5ac548af0b57ae0277d8e98dc6489c4c662809f3d4580bf33307cd2fda7b5b59b032cc67456b6f9abdf379a7d8532343bd8b383201ecf6d84a9fd4a137aa

Download Submit
\Users\Admin\AppData\Local\Temp\DEM981B.exe

Filesize
14KB

MD5
1b29b103f33e7f3146d3ea2163587943

SHA1
790ca422c4e666d2c055cbf4b5f5a3e61abb97ab

SHA256
040e6b69867a98b737061eb5dc5ef3d1503a507be4fe6908fb72e56555daedb0

SHA512
7380398c5a59e75fbef4d93dbea96f0348746edf43c4f66391004577f666e549e6e0045afd56ce0603a698dc8c24136a33d7e01699a2095414c4785cc53146b5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEC04.exe

Filesize
14KB

MD5
752ec79874f81c09c72db7ec19a32b54

SHA1
bf805cec217847228ffcc9d792e6d54b5c6e4656

SHA256
7b8c0cf14ca3e0ae486d81b8ff02fb367990b0ce55dea5f13b65394217c473f5

SHA512
878626f215fe7604fd3d5ddef3514feb4ce5777a0551b7af81b35994b5453c471da75b1b30d36f6eb30c671cffd55a2f3278e5a6f96bb537640dd0e532152f09

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEE84.exe

Filesize
14KB

MD5
5f514f0ec0c606fd32c4da347433b649

SHA1
3880edc82b6f737e25cc6ed06a31a059c189e5ef

SHA256
f54c753f5710146c2734ba4730243a20ca41eb690c85267867c024e5dc9cc4ba

SHA512
ca257c8a29d032d4160237b8c8f3ec9c8a12544288ff0d27e30f1bbb3a4d678e28947482cc9416624ebc15e7860b1afe939b0481cfebaf54d13d18b3ed819229

Download Submit

Analysis

Sharing