701928a7af2bf68b830d17b78e21436270dce8344ccaf7e0c038b6beadd26744

General

Target

46ea1bb987dc352c98738b9a0cbfa26b.exe
Size

14KB
MD5

46ea1bb987dc352c98738b9a0cbfa26b
SHA1

e476964c54a94f2fc0c7222afc92538fe027dfa3
SHA256

701928a7af2bf68b830d17b78e21436270dce8344ccaf7e0c038b6beadd26744
SHA512

210343952167569a43448f65a06e5103e0ff9ea76b5bd38b78134f8e71bfaf56b3c6b329c72ee58f84c42bbb3526e34fee88498c8bff80eaca033333693a142b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhQ:hDXWipuE+K3/SSHgxu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2116	DEM192C.exe
2824	DEM6E8B.exe
1816	DEMC429.exe
3016	DEM19A8.exe
1496	DEM6F75.exe
2044	DEMC533.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	46ea1bb987dc352c98738b9a0cbfa26b.exe
2116	DEM192C.exe
2824	DEM6E8B.exe
1816	DEMC429.exe
3016	DEM19A8.exe
1496	DEM6F75.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2116	2180	46ea1bb987dc352c98738b9a0cbfa26b.exe	29
PID 2180 wrote to memory of 2116	2180	46ea1bb987dc352c98738b9a0cbfa26b.exe	29
PID 2180 wrote to memory of 2116	2180	46ea1bb987dc352c98738b9a0cbfa26b.exe	29
PID 2180 wrote to memory of 2116	2180	46ea1bb987dc352c98738b9a0cbfa26b.exe	29
PID 2116 wrote to memory of 2824	2116	DEM192C.exe	32
PID 2116 wrote to memory of 2824	2116	DEM192C.exe	32
PID 2116 wrote to memory of 2824	2116	DEM192C.exe	32
PID 2116 wrote to memory of 2824	2116	DEM192C.exe	32
PID 2824 wrote to memory of 1816	2824	DEM6E8B.exe	35
PID 2824 wrote to memory of 1816	2824	DEM6E8B.exe	35
PID 2824 wrote to memory of 1816	2824	DEM6E8B.exe	35
PID 2824 wrote to memory of 1816	2824	DEM6E8B.exe	35
PID 1816 wrote to memory of 3016	1816	DEMC429.exe	37
PID 1816 wrote to memory of 3016	1816	DEMC429.exe	37
PID 1816 wrote to memory of 3016	1816	DEMC429.exe	37
PID 1816 wrote to memory of 3016	1816	DEMC429.exe	37
PID 3016 wrote to memory of 1496	3016	DEM19A8.exe	39
PID 3016 wrote to memory of 1496	3016	DEM19A8.exe	39
PID 3016 wrote to memory of 1496	3016	DEM19A8.exe	39
PID 3016 wrote to memory of 1496	3016	DEM19A8.exe	39
PID 1496 wrote to memory of 2044	1496	DEM6F75.exe	41
PID 1496 wrote to memory of 2044	1496	DEM6F75.exe	41
PID 1496 wrote to memory of 2044	1496	DEM6F75.exe	41
PID 1496 wrote to memory of 2044	1496	DEM6F75.exe	41

C:\Users\Admin\AppData\Local\Temp\46ea1bb987dc352c98738b9a0cbfa26b.exe
"C:\Users\Admin\AppData\Local\Temp\46ea1bb987dc352c98738b9a0cbfa26b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\DEM192C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM192C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\DEM6E8B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6E8B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\DEMC429.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC429.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\DEM19A8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM19A8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\DEM6F75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F75.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\DEMC533.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC533.exe"
        7⤵
        Executes dropped EXE
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6E8B.exe

Filesize
14KB

MD5
5169832c9f9140f15787dcb553a7c4f5

SHA1
17618e33c24187124de827168f04cc80c3b2d639

SHA256
68704ced2492ff8cabd642ae4e9f94aa7a22953099517383e9fca7c517236e4e

SHA512
56ed17d03dfc264dc56c64e7e6b9b72fd9ae7dc0d6214c4bc49ecdb7f397263284b726602a2367465a6fc912fe363f3312cb9a71cd9e71248ef4d1d9cc79233a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM192C.exe

Filesize
14KB

MD5
fb3912d116e3387a743b03d49416300a

SHA1
768bf86cc1763be7b78e5564f453d511da7fd840

SHA256
d010dae24baadca5cffd85c03fca7ecf06b5b1a8c7d842a0ccdbc9b2edeb33c7

SHA512
acb30ac5f9eba866c1048a10671d78cb13a0c5d66bf36347177e1dc1e570e490748e4a6106596205983522eee72d097826b8cfc470ecf224cf4b56c7e865b0f2

Download Submit
\Users\Admin\AppData\Local\Temp\DEM19A8.exe

Filesize
14KB

MD5
d418de28fec0757fee6b366249fea8fc

SHA1
925eb199c41c46540eced91aebd11ddd478e2f40

SHA256
0256064db277e4e4e2a249b56b15ba2a00242d06ef49508a2aaa9c90260f6fcc

SHA512
429a13d5c2b624114420de7dfd545c5e4723eafb7dc361083887af3b446c2ce2bca8819672f8589806167c6338075d7415998cfc6228888b7ffe68f3d34e6d49

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F75.exe

Filesize
14KB

MD5
b1a5e4581f2c298ff93b7cd97c3e9019

SHA1
9f5ae5c2b7f3901515669f75c98c355d50bec617

SHA256
cacde173a131e414d8381b51f49cd1bf3271f5a14003b691400b6aec950a2c96

SHA512
63723a2105165a31ac4cef1ef086c7a7a340d337c1dcc308e810a2f637e4d746169aa050972cc02e104fefd6deb7a28929253a653e7b4324f0199ca3021c1dd6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC429.exe

Filesize
14KB

MD5
a51d6b0173b76ef5f42ee198ffabab9a

SHA1
316fd099bdd00d5094923bcc34375a2c1a5aaaaa

SHA256
5bea0cd82abf8535dcf5cda25998e51f01d106c0ecfc76b5bcffc95dd88fca51

SHA512
a6ac04dc247885c1a4064798934f0c4ef5a8b89571ee599483e432c33a0acff8040e3f0f0ee8e2903f8fbe342a2a5e71cc2fdb9331ddb374772c215f953701fc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC533.exe

Filesize
14KB

MD5
7293462ead95060e4d86ffaa7413ce50

SHA1
f037b3eff8476332030577719e252fd4e1c438f6

SHA256
e439da4a81ccbbcb7dc9ab086ca0fa447f7fff13b11919d80118eef89a37f13a

SHA512
fe69aa462d9ed62d6b6fb5a91b28e799576acc80bd278082ab12c7928765ed4a056726a9e3f49b1622799a9b50b5e025e0b0ae3cd503755a37eb3dab5ac0082b

Download Submit

Analysis

Sharing