7a317a38601cfea3b8a8b8798d189b4dce15bb71f1d07e4ff5ec510bf2a5c0a3

General

Target

452d680c2afaab369bce98183e51527b.exe
Size

16KB
MD5

452d680c2afaab369bce98183e51527b
SHA1

accbefa03b6c4f30c8f730fc3155037415143454
SHA256

7a317a38601cfea3b8a8b8798d189b4dce15bb71f1d07e4ff5ec510bf2a5c0a3
SHA512

da744348900b97b782471bb4f9e8c5bbc2127a04a6e506aa70c2b33e5a2e723ba2d2a38248e7309eaa20c82b33578358cbc73356fc08783038179009c896c64c
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhJ2A:hDXWipuE+K3/SSHgxp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2712	DEM7FC.exe
2092	DEM5D4C.exe
2984	DEMB27D.exe
2796	DEM7DD.exe
2016	DEM5D1E.exe
1916	DEMB27E.exe

Loads dropped DLL 6 IoCs

pid	Process
3036	452d680c2afaab369bce98183e51527b.exe
2712	DEM7FC.exe
2092	DEM5D4C.exe
2984	DEMB27D.exe
2796	DEM7DD.exe
2016	DEM5D1E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2712	3036	452d680c2afaab369bce98183e51527b.exe	29
PID 3036 wrote to memory of 2712	3036	452d680c2afaab369bce98183e51527b.exe	29
PID 3036 wrote to memory of 2712	3036	452d680c2afaab369bce98183e51527b.exe	29
PID 3036 wrote to memory of 2712	3036	452d680c2afaab369bce98183e51527b.exe	29
PID 2712 wrote to memory of 2092	2712	DEM7FC.exe	31
PID 2712 wrote to memory of 2092	2712	DEM7FC.exe	31
PID 2712 wrote to memory of 2092	2712	DEM7FC.exe	31
PID 2712 wrote to memory of 2092	2712	DEM7FC.exe	31
PID 2092 wrote to memory of 2984	2092	DEM5D4C.exe	35
PID 2092 wrote to memory of 2984	2092	DEM5D4C.exe	35
PID 2092 wrote to memory of 2984	2092	DEM5D4C.exe	35
PID 2092 wrote to memory of 2984	2092	DEM5D4C.exe	35
PID 2984 wrote to memory of 2796	2984	DEMB27D.exe	37
PID 2984 wrote to memory of 2796	2984	DEMB27D.exe	37
PID 2984 wrote to memory of 2796	2984	DEMB27D.exe	37
PID 2984 wrote to memory of 2796	2984	DEMB27D.exe	37
PID 2796 wrote to memory of 2016	2796	DEM7DD.exe	39
PID 2796 wrote to memory of 2016	2796	DEM7DD.exe	39
PID 2796 wrote to memory of 2016	2796	DEM7DD.exe	39
PID 2796 wrote to memory of 2016	2796	DEM7DD.exe	39
PID 2016 wrote to memory of 1916	2016	DEM5D1E.exe	41
PID 2016 wrote to memory of 1916	2016	DEM5D1E.exe	41
PID 2016 wrote to memory of 1916	2016	DEM5D1E.exe	41
PID 2016 wrote to memory of 1916	2016	DEM5D1E.exe	41

C:\Users\Admin\AppData\Local\Temp\452d680c2afaab369bce98183e51527b.exe
"C:\Users\Admin\AppData\Local\Temp\452d680c2afaab369bce98183e51527b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM7FC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\DEM5D4C.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D4C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\DEMB27D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB27D.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\DEM7DD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM7DD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\DEM5D1E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5D1E.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\DEMB27E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB27E.exe"
        7⤵
        Executes dropped EXE
        
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5D4C.exe

Filesize
16KB

MD5
1bdeb2746a4f1607c2fd42b0ad22bcb7

SHA1
c848168e27545dc1409e14728bc51939bb53c8a9

SHA256
bff50fa314ac1605478999fc8e47742a70b9802dfec3fb610ce8f0666d4c4c54

SHA512
610cc0f6be6c2151d4526b9a676cdd5fa93b77c5c963fc2991d52986a882a067686ab6bd7c92807df3d3af759cb348dee686b0b43e61f11fb5dbc42a02158821

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB27E.exe

Filesize
16KB

MD5
4e1404dc8a5ebe65f0c5701e48e764ef

SHA1
d2a1eeca746033da4df4aa2c2604753257f8b704

SHA256
5ca1dcf4013662c9954561f631d75056d84f12aad79fab1cd06b0cf71153440b

SHA512
3181078c6ea6e600b1589c74ab33004ae24e0e0ea6cdde9107f2cc9790dfa806e091416243a6c56d2e3674b16077cf2021d86fc77620e32f4b3d57e2d1d8f8f4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5D1E.exe

Filesize
16KB

MD5
967e986857a5a167de5d513aee94fa41

SHA1
e1394cdfd2a83a2497d1d7d5b9338e805cd7a1c3

SHA256
f5b30e16d3fe2fe2c3f77489316b2ff9cc14ff2164db8b31776761a38582d92f

SHA512
4287c2011435607cb3c968741b4dec9082916fb3784ff859b58f0931085d1f4b5a5447178bafd9700e3cf983457ae46c7be6c03f5e794670177c3acfce264c9c

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7DD.exe

Filesize
16KB

MD5
1473a41f6f99aa0bbef8e69e76ea0c97

SHA1
e79d375c112e707e8b75bcb6987fbb0b0084f310

SHA256
f0fac932daea904ccdb597e26f7eed0204a7377f5fd7c8d870f025440b987872

SHA512
634f109280f280463d1200b6f3d008ea887025efc090ac55de4558c37c09e25e1a9a735e2d2be7b7b09072b1365b40f0661de5e753497fbf9803a4f4daea37c8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM7FC.exe

Filesize
16KB

MD5
f19c1d6cfbc9859b7486bf478ed12cbd

SHA1
ca88244d32c7e7fe6666bdb6ce8f26301cf914f9

SHA256
ac2c178c0fb157025a419bb485ea553fc32879aa029c7698bf4b404bd7897504

SHA512
9390f37e9f418d03ab7297ef3e067ed50aefaf92ff1f64dde5a5fc96831c54022c6f64c72b6c204c6bc794c5d0bcad1f7c8958989d6b801565b65c48eb0b6ab5

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB27D.exe

Filesize
16KB

MD5
4761ae67edbac23b3f6a1c74cee7ba52

SHA1
a2a24bba0a8b76ea7570b0cd4c566fbd276de1a9

SHA256
8b4f9b69c79a5682debc99e6ad587a78a49fcc86c5658b0237458ece409df5b8

SHA512
693993cde2fa07e45d12e71318611b52baa5c5dd11cd24aa64df5663ae323361efe9a9982338b62248a96363cc39d0c1a2aaa6f585a0ed406f232ceae0946bde

Download Submit

Analysis

Sharing