a2cf1c0bf6deb6c47f441827c1f4f03b5b8361b2637c53c3a2af97bdd2344e30

General

Target

30318380bc60111143f5c52a63faab1d.exe
Size

14KB
MD5

30318380bc60111143f5c52a63faab1d
SHA1

96550cfdcf333aad8bcda6b1c6aa2aa8c9ddc7b3
SHA256

a2cf1c0bf6deb6c47f441827c1f4f03b5b8361b2637c53c3a2af97bdd2344e30
SHA512

6daa114f277b232a9383c1edf4d8eae2edfa893e73a2beaeb9d11b0b977064b37b08514461c68ddb83e14458eb6e181d1cadd19c86d2f9cfae751c999ffa176d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhil6:hDXWipuE+K3/SSHgxLiU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	DEMCAE.exe
2692	DEM624C.exe
2088	DEMB78C.exe
2816	DEMD2A.exe
1952	DEM628A.exe
1264	DEMB8E3.exe

Loads dropped DLL 6 IoCs

pid	Process
2408	30318380bc60111143f5c52a63faab1d.exe
2664	DEMCAE.exe
2692	DEM624C.exe
2088	DEMB78C.exe
2816	DEMD2A.exe
1952	DEM628A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2664	2408	30318380bc60111143f5c52a63faab1d.exe	29
PID 2408 wrote to memory of 2664	2408	30318380bc60111143f5c52a63faab1d.exe	29
PID 2408 wrote to memory of 2664	2408	30318380bc60111143f5c52a63faab1d.exe	29
PID 2408 wrote to memory of 2664	2408	30318380bc60111143f5c52a63faab1d.exe	29
PID 2664 wrote to memory of 2692	2664	DEMCAE.exe	31
PID 2664 wrote to memory of 2692	2664	DEMCAE.exe	31
PID 2664 wrote to memory of 2692	2664	DEMCAE.exe	31
PID 2664 wrote to memory of 2692	2664	DEMCAE.exe	31
PID 2692 wrote to memory of 2088	2692	DEM624C.exe	35
PID 2692 wrote to memory of 2088	2692	DEM624C.exe	35
PID 2692 wrote to memory of 2088	2692	DEM624C.exe	35
PID 2692 wrote to memory of 2088	2692	DEM624C.exe	35
PID 2088 wrote to memory of 2816	2088	DEMB78C.exe	37
PID 2088 wrote to memory of 2816	2088	DEMB78C.exe	37
PID 2088 wrote to memory of 2816	2088	DEMB78C.exe	37
PID 2088 wrote to memory of 2816	2088	DEMB78C.exe	37
PID 2816 wrote to memory of 1952	2816	DEMD2A.exe	39
PID 2816 wrote to memory of 1952	2816	DEMD2A.exe	39
PID 2816 wrote to memory of 1952	2816	DEMD2A.exe	39
PID 2816 wrote to memory of 1952	2816	DEMD2A.exe	39
PID 1952 wrote to memory of 1264	1952	DEM628A.exe	41
PID 1952 wrote to memory of 1264	1952	DEM628A.exe	41
PID 1952 wrote to memory of 1264	1952	DEM628A.exe	41
PID 1952 wrote to memory of 1264	1952	DEM628A.exe	41

C:\Users\Admin\AppData\Local\Temp\30318380bc60111143f5c52a63faab1d.exe
"C:\Users\Admin\AppData\Local\Temp\30318380bc60111143f5c52a63faab1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\DEMCAE.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMCAE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DEM624C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM624C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\DEMB78C.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB78C.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\DEMD2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMD2A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\DEM628A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM628A.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\DEMB8E3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB8E3.exe"
        7⤵
        Executes dropped EXE
        
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM624C.exe

Filesize
15KB

MD5
8777f25254a090783d1198579aaefa2a

SHA1
eb70c7cf58b3e4ff2bb81959941d2a5d36cf10c2

SHA256
398e3c439d6db526c8f9976fe4a906481c1db183d6c98925d7915b683e88c27a

SHA512
f355044ba66fefad576e079b3d68265357ff2ce1f4ee40842dc8ac191c2ec5664b7c305099bea5d2bbbbfe4758debce6a6d969a67f96b0cde643a0e34763261d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM628A.exe

Filesize
15KB

MD5
7e1a3ab4369f945f7b9c7ebbfdb3e3b1

SHA1
1a3b4d228d5e22d85e9cc8da4815e884f1de66a7

SHA256
6ab737340cb2b1a827b3f71fb9129e9be11e17241d03786814b68f0165ca3817

SHA512
ad29f2b9296b400258f92aed7e254ba1a104d0ba8955402aecf5ed8380fe4a3679136e937cdc82bf7411915208e249fadd4384aa9571a0400417ce0df61267d5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB78C.exe

Filesize
15KB

MD5
d2930188c305b9bd34739d6391312c32

SHA1
c324eecf44040338e8a86a47d827ad444bff3cbd

SHA256
ac070bf343dab9498c89c672030a2993af122128dd517adf9838c07e98533bd5

SHA512
4f3810bf35d5d14574bd0aa968cb2cccbee75f535ff7b73ee5d8e87f83413162132f02983fcc97fdcd795617d65245db6fb9755f2fe283928efc19f703e432da

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB8E3.exe

Filesize
15KB

MD5
6b083813300c1ca324ce69c63020fc24

SHA1
951689d52e16f0a0294f7a09fbf3eab232276f20

SHA256
e37aa1473ce5f23dfe631d05ac19706c8740aba5a76cc5cfb9c0738a5272963f

SHA512
c64558123f3ce18285a0ff6a18c24f09b4b50d8c095a9b1942a84d7bd7e0f0c41226db3977c8ba4eb89824ce824ce04fb168d7a4944e22387badedcfad210355

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCAE.exe

Filesize
14KB

MD5
20f078f4fbe163a7a4b448b711625d14

SHA1
055f934e51faf1eaa16aaa9c3c7893b4c3c98983

SHA256
fe916368a76992b762f713ace368b7b1bb22392f374605760320d6ccd25b53e8

SHA512
60f72d8733d48ed6e05f44405ecb81f33371f2cfcec012cbf719aa1d70f8bd42ab613661570fdc540f1e8325aadbfc7f3480cd95942eaf3e55cef8d7b14fdeab

Download Submit
\Users\Admin\AppData\Local\Temp\DEMD2A.exe

Filesize
15KB

MD5
1005c527590e7da3415e98598f8197e4

SHA1
49ca70554046467099e34851dd0bf2b81a08f14d

SHA256
c9d662bebaf142b7ff8e077ca0d62ce325978debde3bbb160acdd20ea517a77b

SHA512
31c1fa067ca605f2af1d5fb5325424d837c98eca2ecd9e1ae42ec528ddb7d7c63851411f0b758b5a6ab020c7becdd5f348cd5f0dccdb4acdfc06b3655b85d311

Download Submit

Analysis

Sharing