2673a50b4c65a34ec024b9f62d53cdf7bfa6f86518fa61f1bcbd0fa19a0da795

General

Target

44dc9df5f92cbe0388491f4de6ba350f.exe
Size

14KB
MD5

44dc9df5f92cbe0388491f4de6ba350f
SHA1

2a423a5dae28085c617a6390c510271b070c0aa7
SHA256

2673a50b4c65a34ec024b9f62d53cdf7bfa6f86518fa61f1bcbd0fa19a0da795
SHA512

cabc33ba472bdd2d6d08903cc4dd02d055d26b708fcc2ff4ec0e30e90963e67f08d7b0a3744ba30e155c8ff2c0c63528dfdeed79f70ace1fa392a22a0dbb5e73
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0G:hDXWipuE+K3/SSHgx4G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2844	DEM54F3.exe
2656	DEMAC08.exe
1172	DEM187.exe
1396	DEM57D1.exe
2800	DEMAE0B.exe
1716	DEM4D1.exe

Loads dropped DLL 6 IoCs

pid	Process
1692	44dc9df5f92cbe0388491f4de6ba350f.exe
2844	DEM54F3.exe
2656	DEMAC08.exe
1172	DEM187.exe
1396	DEM57D1.exe
2800	DEMAE0B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2844	1692	44dc9df5f92cbe0388491f4de6ba350f.exe	29
PID 1692 wrote to memory of 2844	1692	44dc9df5f92cbe0388491f4de6ba350f.exe	29
PID 1692 wrote to memory of 2844	1692	44dc9df5f92cbe0388491f4de6ba350f.exe	29
PID 1692 wrote to memory of 2844	1692	44dc9df5f92cbe0388491f4de6ba350f.exe	29
PID 2844 wrote to memory of 2656	2844	DEM54F3.exe	33
PID 2844 wrote to memory of 2656	2844	DEM54F3.exe	33
PID 2844 wrote to memory of 2656	2844	DEM54F3.exe	33
PID 2844 wrote to memory of 2656	2844	DEM54F3.exe	33
PID 2656 wrote to memory of 1172	2656	DEMAC08.exe	35
PID 2656 wrote to memory of 1172	2656	DEMAC08.exe	35
PID 2656 wrote to memory of 1172	2656	DEMAC08.exe	35
PID 2656 wrote to memory of 1172	2656	DEMAC08.exe	35
PID 1172 wrote to memory of 1396	1172	DEM187.exe	37
PID 1172 wrote to memory of 1396	1172	DEM187.exe	37
PID 1172 wrote to memory of 1396	1172	DEM187.exe	37
PID 1172 wrote to memory of 1396	1172	DEM187.exe	37
PID 1396 wrote to memory of 2800	1396	DEM57D1.exe	40
PID 1396 wrote to memory of 2800	1396	DEM57D1.exe	40
PID 1396 wrote to memory of 2800	1396	DEM57D1.exe	40
PID 1396 wrote to memory of 2800	1396	DEM57D1.exe	40
PID 2800 wrote to memory of 1716	2800	DEMAE0B.exe	41
PID 2800 wrote to memory of 1716	2800	DEMAE0B.exe	41
PID 2800 wrote to memory of 1716	2800	DEMAE0B.exe	41
PID 2800 wrote to memory of 1716	2800	DEMAE0B.exe	41

C:\Users\Admin\AppData\Local\Temp\44dc9df5f92cbe0388491f4de6ba350f.exe
"C:\Users\Admin\AppData\Local\Temp\44dc9df5f92cbe0388491f4de6ba350f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\DEM54F3.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM54F3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\DEMAC08.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAC08.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\DEM187.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM187.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\DEM57D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM57D1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Users\Admin\AppData\Local\Temp\DEMAE0B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAE0B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\DEM4D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4D1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAC08.exe

Filesize
14KB

MD5
90e4245374185b1ca02d0c09c2741cbd

SHA1
24c71b66ed9da48d8176eb04fde532d4d5bfadf0

SHA256
e2b6c2ad38665fecc8f3189bfa4340b74b04f341e64acef010cd619fa328e563

SHA512
dc0bc261c7cc995b5bb55ced6231fcc18bd205fef1ebc97d4c4d52334fb4b8cdeac1613f24d2983902ce7dfdb4e37e54af83e05044338d01ce618364af635a1a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM187.exe

Filesize
14KB

MD5
c00e1a87e91bddbd94608b81f8cc0d3f

SHA1
33fd61d99c6a7378f78c5b501e85f33c0c71bed7

SHA256
81d12cbd6afe90714d0368bec72b2b9dd97b32ba28a459eba43de2ed6bf6a310

SHA512
1606c5cbe408125896f20577b0e36e2138591c96a1c85d73526d05fdb02f23c404c6a255c0c204f801d31181483bd73b2ce6491ea9433c41b22a54d8d2578365

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4D1.exe

Filesize
14KB

MD5
4825b7ebc39bcb2120e2fa4ec0de3ad5

SHA1
95e8cba88778008b4dcb417564dc6e841e07d1dc

SHA256
66e34763dd8a71b5ede805e40ae209b272df39fc3f9a6058482f413ec3afbc3c

SHA512
64f5b060fa28ad5000f9023bb6fc1373cbe6c18e87fc10c714f87d52b7521f65b49b10c37efa8d70f960c18b1d8c3e05711182a230347aa32e968eaebd5609f9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM54F3.exe

Filesize
14KB

MD5
fe3f9114b8eab108a042cc9ab048929c

SHA1
5c7f5f66bfdd7baeb95239c1c21a3b7d4e8aca2b

SHA256
40696365a091221fde65d1b62eec67e520d87e3fa160f0d9d3a09464e8f975d3

SHA512
4bde18ff57fd20bcad24a8de065d6001c298b6c26dd22e8d117ee508ccf5925326a43e088adbab316d5bc28ea5ee3e95dce921b7e2075575b0a3e0aefe26c979

Download Submit
\Users\Admin\AppData\Local\Temp\DEM57D1.exe

Filesize
14KB

MD5
893f65e044ba2156c1744b6246188f0e

SHA1
2a5df321cc57ce04b31fe3a174ca45eb14fdbba9

SHA256
f96491f71839c3b383704b1991a8dff6c24f2e16c28023f7c744e74a52dfbcea

SHA512
17e2b944fe463b8f0a36c14eb03487d2238aa77edba6bb3dfc3200920a7e47810fe4cb396f406fdc7202d81287d68bb7e4aa7d8d5443f7773b87034ab1ee60ec

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAE0B.exe

Filesize
14KB

MD5
f52122521c52e9b18ed5eb7e7095d89c

SHA1
cf675368b2cf6f193cd7a6197de82f8e06af87da

SHA256
4755fe648fb07df1079da0b18fd25d1788c5f39ae136fef3898c0612e9a0b4fc

SHA512
a0f51e404e2f91fe6dcbc293a39b3b3d39b3152f0615d3ad3a120cebcb7976edf20b1ff918a8c21227b32b5bd163b29b373c389d8f7a1ab688adbd1c033c6a63

Download Submit

Analysis

Sharing