93c3eb8620ece56923ae673a31bafa9902378ccf4707d6b7b5614db9e20c6b75

General

Target

349e04ad896487be6d1987e66a0fa64b.exe
Size

16KB
MD5

349e04ad896487be6d1987e66a0fa64b
SHA1

17dad555f1359bff87a4ef49beedc9ec323b33dd
SHA256

93c3eb8620ece56923ae673a31bafa9902378ccf4707d6b7b5614db9e20c6b75
SHA512

53b305006dd713c88b132f5ad8e7e4f2fa1435b7fc4bc2cef4d241aa6060c2c69a0565865d2a4b18d6b2232c6613ace929351a49a7f420c285f810718530b548
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlu3h4:hDXWipuE+K3/SSHgxmlu3h4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2340	DEM7FC.exe
2816	DEM5D5C.exe
2520	DEMB2CB.exe
2644	DEM81C.exe
1680	DEM5DBA.exe
320	DEMB358.exe

Loads dropped DLL 6 IoCs

pid	Process
2028	349e04ad896487be6d1987e66a0fa64b.exe
2340	DEM7FC.exe
2816	DEM5D5C.exe
2520	DEMB2CB.exe
2644	DEM81C.exe
1680	DEM5DBA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2340	2028	349e04ad896487be6d1987e66a0fa64b.exe	29
PID 2028 wrote to memory of 2340	2028	349e04ad896487be6d1987e66a0fa64b.exe	29
PID 2028 wrote to memory of 2340	2028	349e04ad896487be6d1987e66a0fa64b.exe	29
PID 2028 wrote to memory of 2340	2028	349e04ad896487be6d1987e66a0fa64b.exe	29
PID 2340 wrote to memory of 2816	2340	DEM7FC.exe	32
PID 2340 wrote to memory of 2816	2340	DEM7FC.exe	32
PID 2340 wrote to memory of 2816	2340	DEM7FC.exe	32
PID 2340 wrote to memory of 2816	2340	DEM7FC.exe	32
PID 2816 wrote to memory of 2520	2816	DEM5D5C.exe	36
PID 2816 wrote to memory of 2520	2816	DEM5D5C.exe	36
PID 2816 wrote to memory of 2520	2816	DEM5D5C.exe	36
PID 2816 wrote to memory of 2520	2816	DEM5D5C.exe	36
PID 2520 wrote to memory of 2644	2520	DEMB2CB.exe	37
PID 2520 wrote to memory of 2644	2520	DEMB2CB.exe	37
PID 2520 wrote to memory of 2644	2520	DEMB2CB.exe	37
PID 2520 wrote to memory of 2644	2520	DEMB2CB.exe	37
PID 2644 wrote to memory of 1680	2644	DEM81C.exe	39
PID 2644 wrote to memory of 1680	2644	DEM81C.exe	39
PID 2644 wrote to memory of 1680	2644	DEM81C.exe	39
PID 2644 wrote to memory of 1680	2644	DEM81C.exe	39
PID 1680 wrote to memory of 320	1680	DEM5DBA.exe	41
PID 1680 wrote to memory of 320	1680	DEM5DBA.exe	41
PID 1680 wrote to memory of 320	1680	DEM5DBA.exe	41
PID 1680 wrote to memory of 320	1680	DEM5DBA.exe	41

C:\Users\Admin\AppData\Local\Temp\349e04ad896487be6d1987e66a0fa64b.exe
"C:\Users\Admin\AppData\Local\Temp\349e04ad896487be6d1987e66a0fa64b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\DEM5D5C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D5C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB2CB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\DEM81C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM81C.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\DEM5DBA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5DBA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\DEMB358.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB358.exe"
        7⤵
        Executes dropped EXE
        
        PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D5C.exe

Filesize
16KB

MD5
42c6c904e45336152ecea1f6540767c0

SHA1
c6f4f671a82fca481183a7090aebdb54501d4309

SHA256
77e153de1fc385f40e1d9090e14f913f8e7179f07eb2d07599b61fab00cbeffb

SHA512
c6e81ddbab91880bea527597ff0a06a53aa5b6c601249537beb3b6ef6e6a6981e09969d8f315b214652f3d4f2ebb487f6b0f1da8f1c360c5dc8debd21597ffee

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5DBA.exe

Filesize
16KB

MD5
24418833689c8100845c19962975b115

SHA1
0abd1bcb923869c079a2d19cdde2cf6c4257521c

SHA256
a5440f0b18dfdfb5096cba17c5e5f620142416ba2b0d4fd8834c2c604f1d624f

SHA512
6954560cd8079b901282bcdedce042857a67d855919432552f558850cd44ba27600ef432ded51a73da9c22a7c84744216c0e72eba8f9c0cc1a3bb0e47cd6e405

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7FC.exe

Filesize
16KB

MD5
7ddeffacf28e6f68fa43fe8265b5239c

SHA1
3383130197b861bdf7308ec2be04ec65734590f4

SHA256
147633430e9e9d41dfbb2f2ec5b042c2d5ea817711a210bb4cd9a18804079aba

SHA512
6f5e8589e54adb01bc6684f67982fe36546664e2eb6343955c0706cc5628f0ca225d68120b3801d16274f4b8ddfa12ab1e1fc91c4027b55c402fbf691bd51c7f

Download Submit
\Users\Admin\AppData\Local\Temp\DEM81C.exe

Filesize
16KB

MD5
42f37526d34c869036e24fb3af8868fa

SHA1
48ab60398afd6432b48a45975de01b93e13c57d9

SHA256
5d40a550aaf47a62f50f07cf70d8d7ca96379d8ee4005e3fbf93e532a674fc0c

SHA512
3b35e0738850716933a2bbb19f44a9772bf096c2e67224f9eda930129c5c5168190fcb127b600543529e4ad91ca9789a6de06ae6bb0bae673eebfcbba9522ebb

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB2CB.exe

Filesize
16KB

MD5
a77aa7018db35d9c764f8abebcdbfda0

SHA1
2458265e5016d32a220f248ccf29761982ead413

SHA256
9a9fb3d4e14cd0b2e63f037a50ab821829af88e2abfa74a31705a8be0aea7733

SHA512
678be01daab8fdd3e0237891e157e16e1f6afb2084e1ebce9e4bbe5faf30ed41b06b06f45b61abbc68a77043ec597040294b3ba41779af5c2757d239b635c40b

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB358.exe

Filesize
16KB

MD5
2f0f69c99c7889717402f910a057d5a2

SHA1
c1a13ef8b39d91c1440395eec5cea35ac3b2a06c

SHA256
5f26388e2b3c4795183d94135c4548891fb0454a43c50a109f776d345f4f8f8a

SHA512
038a9e89577c3f5b38e6cf6ed9f14b304bf9b037f79400b3a1d20511f235e1c55ad14f0fff64ce29382627f201508c65d92f5ce28e3279b9988d97e391c4b84c

Download Submit

Analysis

Sharing