6913de19be820abd9d5193fa69bcb44f8ddd9d19a3d96f6fae5697c4a474518f

General

Target

35cfff814457be1459e2b200ddd55fd4.exe
Size

15KB
MD5

35cfff814457be1459e2b200ddd55fd4
SHA1

0318e6234af7f58d845446183098f9b75e724559
SHA256

6913de19be820abd9d5193fa69bcb44f8ddd9d19a3d96f6fae5697c4a474518f
SHA512

ed81ed70ecaf8fe554c54e3c9183149ef40be777395a764d40c9457c3497e3b9fcccfd8f3a2ee784df958d81087f635f2de253dfb7d4981bf343adcc47c48acd
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyh6Ht:hDXWipuE+K3/SSHgxmyh6Ht

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2804	DEM6BFC.exe
3056	DEMC2D2.exe
1492	DEM18DE.exe
1980	DEM6F37.exe
2544	DEMC63C.exe
1764	DEM1C76.exe

Loads dropped DLL 6 IoCs

pid	Process
2172	35cfff814457be1459e2b200ddd55fd4.exe
2804	DEM6BFC.exe
3056	DEMC2D2.exe
1492	DEM18DE.exe
1980	DEM6F37.exe
2544	DEMC63C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2804	2172	35cfff814457be1459e2b200ddd55fd4.exe	29
PID 2172 wrote to memory of 2804	2172	35cfff814457be1459e2b200ddd55fd4.exe	29
PID 2172 wrote to memory of 2804	2172	35cfff814457be1459e2b200ddd55fd4.exe	29
PID 2172 wrote to memory of 2804	2172	35cfff814457be1459e2b200ddd55fd4.exe	29
PID 2804 wrote to memory of 3056	2804	DEM6BFC.exe	33
PID 2804 wrote to memory of 3056	2804	DEM6BFC.exe	33
PID 2804 wrote to memory of 3056	2804	DEM6BFC.exe	33
PID 2804 wrote to memory of 3056	2804	DEM6BFC.exe	33
PID 3056 wrote to memory of 1492	3056	DEMC2D2.exe	35
PID 3056 wrote to memory of 1492	3056	DEMC2D2.exe	35
PID 3056 wrote to memory of 1492	3056	DEMC2D2.exe	35
PID 3056 wrote to memory of 1492	3056	DEMC2D2.exe	35
PID 1492 wrote to memory of 1980	1492	DEM18DE.exe	37
PID 1492 wrote to memory of 1980	1492	DEM18DE.exe	37
PID 1492 wrote to memory of 1980	1492	DEM18DE.exe	37
PID 1492 wrote to memory of 1980	1492	DEM18DE.exe	37
PID 1980 wrote to memory of 2544	1980	DEM6F37.exe	39
PID 1980 wrote to memory of 2544	1980	DEM6F37.exe	39
PID 1980 wrote to memory of 2544	1980	DEM6F37.exe	39
PID 1980 wrote to memory of 2544	1980	DEM6F37.exe	39
PID 2544 wrote to memory of 1764	2544	DEMC63C.exe	41
PID 2544 wrote to memory of 1764	2544	DEMC63C.exe	41
PID 2544 wrote to memory of 1764	2544	DEMC63C.exe	41
PID 2544 wrote to memory of 1764	2544	DEMC63C.exe	41

C:\Users\Admin\AppData\Local\Temp\35cfff814457be1459e2b200ddd55fd4.exe
"C:\Users\Admin\AppData\Local\Temp\35cfff814457be1459e2b200ddd55fd4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\DEM6BFC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6BFC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\DEMC2D2.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC2D2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\DEM18DE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM18DE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\DEM6F37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F37.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\DEMC63C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC63C.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\DEM1C76.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1C76.exe"
        7⤵
        Executes dropped EXE
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1C76.exe

Filesize
15KB

MD5
6bf13d134e03636ab711ba45e1b5a7ec

SHA1
d0d83c0e08f96d0933b50b6416bef4e4773b0a22

SHA256
a354b7f150ecab0829ba0fc0194106e7f839520283b43c4b36ae51f431fb3182

SHA512
cefe71be4a0e0b1985b239a6643d00be564c216413b68be4a427a3235b79575eb363b137bf3d7310f8ac71456a787cd15174f8d6d50e2a7042cc391db177c3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC2D2.exe

Filesize
15KB

MD5
686acd2a18b3ea5e9422def07e0534b5

SHA1
27b5785664eb9c1f029d74936bff2947f895a206

SHA256
81ff0ebef5a805545db9c9ecfd301fd1c21cf342ad19d5f2e6e9bb8a7aeed03f

SHA512
3495f7ecb41c1b4ff0e4107ee1f3dd5b5108aaf15db1fb4f01ec3805ad4b166f9214208d4bf68566a378ba8f3d9192cd6c37f76532262aa0b3affa19405dc556

Download Submit
\Users\Admin\AppData\Local\Temp\DEM18DE.exe

Filesize
15KB

MD5
7f8d73fb87368beb876bca7f168282fc

SHA1
8ff574de81fb0c43305e31e28c67abb49d8269dd

SHA256
765d7e4fa080002233128d9bca3935aa9913a055afd623522d42c8411d0bdcf2

SHA512
137c439e53a21308def9a011c269929f9404a4760f64f175bb85ec1f83f1027710a9327e4952afd6fee6d49cad7515522862813af8cbc619eee6ce89d2a07829

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6BFC.exe

Filesize
15KB

MD5
037421765d844c19f3d0bbaf40a3a2d5

SHA1
5573161c88466c546a98935661e08085924794a9

SHA256
4b8ad034dc9bfe018dd86161edb1bdef1e69918beac302cce3f7c0898b98c01c

SHA512
e773778cf9acdb40e97e268bef38e64c881ec9f521e8a7f4e9526a1a67fb820c02a8aebabab484e23318c4e03381d72604c24c6287138ffbade571cab144259e

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F37.exe

Filesize
15KB

MD5
ef26ef5f4d792036a54d1a8f6a867751

SHA1
79760d752ac61155bd97c8097230d13798e73bcb

SHA256
52cab39b995fac13265250952417007a9417dd40e9bbfa689fa53c4aaf5eb315

SHA512
ae189b3096cacbb4d01a3302ee952d95319789a67ba67603bc363ae5bc97d5b284a3d84b33896b1ef492f696222d28f9ab494fc2d3623240e0453575306b35ee

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC63C.exe

Filesize
15KB

MD5
6ad733cd84909abb6b1c2e3705d28957

SHA1
82d4df08f1a8a87933224791174bdc64133b9c67

SHA256
94326c1bb5267c36da2eaa9bbea8b850b4155ad055c8cd9d0786d08e46a32d07

SHA512
1822d90f408be656aaf194b1037c2740fe69f0e80fc43c0b79f5a8ac0c79eca22a51825208e39d4dc4ecc6e70a887d785c1525f04d65450e8c3768e0d5c3a55c

Download Submit

Analysis

Sharing