305c1fa5f9e983b3c30812d8b0a1249e69a5033f9e17b9670c0e9da122ec7b28

General

Target

3db85be36123dc49e8d4211b94002089.exe
Size

13KB
MD5

3db85be36123dc49e8d4211b94002089
SHA1

cf530b3ad4a48325b0691a449d8328bdbd2a3e1d
SHA256

305c1fa5f9e983b3c30812d8b0a1249e69a5033f9e17b9670c0e9da122ec7b28
SHA512

ac95251cf092df10311b9e0b6ecc17c13422e4e5052ca281daa8e261fdbff4ce6a52539b3f3817b2a9368949c503943bf814bc22ddcd340a8af6c2599b5d6ff9
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh9c:hDXWipuE+K3/SSHgxHc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2560	DEM140D.exe
2504	DEM696D.exe
1716	DEMBF3A.exe
1756	DEM146B.exe
2712	DEM69DA.exe
1736	DEMBF2A.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	3db85be36123dc49e8d4211b94002089.exe
2560	DEM140D.exe
2504	DEM696D.exe
1716	DEMBF3A.exe
1756	DEM146B.exe
2712	DEM69DA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2560	2872	3db85be36123dc49e8d4211b94002089.exe	29
PID 2872 wrote to memory of 2560	2872	3db85be36123dc49e8d4211b94002089.exe	29
PID 2872 wrote to memory of 2560	2872	3db85be36123dc49e8d4211b94002089.exe	29
PID 2872 wrote to memory of 2560	2872	3db85be36123dc49e8d4211b94002089.exe	29
PID 2560 wrote to memory of 2504	2560	DEM140D.exe	32
PID 2560 wrote to memory of 2504	2560	DEM140D.exe	32
PID 2560 wrote to memory of 2504	2560	DEM140D.exe	32
PID 2560 wrote to memory of 2504	2560	DEM140D.exe	32
PID 2504 wrote to memory of 1716	2504	DEM696D.exe	35
PID 2504 wrote to memory of 1716	2504	DEM696D.exe	35
PID 2504 wrote to memory of 1716	2504	DEM696D.exe	35
PID 2504 wrote to memory of 1716	2504	DEM696D.exe	35
PID 1716 wrote to memory of 1756	1716	DEMBF3A.exe	37
PID 1716 wrote to memory of 1756	1716	DEMBF3A.exe	37
PID 1716 wrote to memory of 1756	1716	DEMBF3A.exe	37
PID 1716 wrote to memory of 1756	1716	DEMBF3A.exe	37
PID 1756 wrote to memory of 2712	1756	DEM146B.exe	40
PID 1756 wrote to memory of 2712	1756	DEM146B.exe	40
PID 1756 wrote to memory of 2712	1756	DEM146B.exe	40
PID 1756 wrote to memory of 2712	1756	DEM146B.exe	40
PID 2712 wrote to memory of 1736	2712	DEM69DA.exe	42
PID 2712 wrote to memory of 1736	2712	DEM69DA.exe	42
PID 2712 wrote to memory of 1736	2712	DEM69DA.exe	42
PID 2712 wrote to memory of 1736	2712	DEM69DA.exe	42

C:\Users\Admin\AppData\Local\Temp\3db85be36123dc49e8d4211b94002089.exe
"C:\Users\Admin\AppData\Local\Temp\3db85be36123dc49e8d4211b94002089.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\DEM140D.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM140D.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DEM696D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM696D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\DEMBF3A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBF3A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\DEM146B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM146B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\DEM69DA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM69DA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe"
        7⤵
        Executes dropped EXE
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM696D.exe

Filesize
13KB

MD5
557af6039c059f189b08cf46f755388d

SHA1
8a4e479f0680bef3950ffbb669eff0897f93b915

SHA256
51d7b74d47407733bc0245c1823d55e6913167d30cb2630323e689994c136b89

SHA512
6df4f0f9bd3b7e39bbb880a4b3062dcb4f3349d7964b2f15ee3b2880fc776f784d608868643258f62214ffb178e6ae33cd688281235dac984872830de8a584ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBF2A.exe

Filesize
14KB

MD5
bdf6f85b8cd6b320f682bba946b60412

SHA1
6c174c33d7966bd213d12d7886fb777c717b8c2c

SHA256
8c8b1553d2828c27964c598e1d340c6c1bf79f0e0760f36fd1f96c16d8e40c73

SHA512
1f78c8089b19a19a7f99107d4d5585ebb1412d85db90d950cadd95172df6f70631461c60210b5684f69d96cbdd46eb3c3979ea45e4be9d0b8f7c04035e362572

Download Submit
\Users\Admin\AppData\Local\Temp\DEM140D.exe

Filesize
13KB

MD5
734e51c1eadee123a4885c2e6050a765

SHA1
8a161a34413f9cac664940a952d5537fa1362aa0

SHA256
e52e44529ce919570402645ee39df7e729b007c739d9762bdc0805ffef924056

SHA512
62afc30d6a92608a5d88d791ef9679eae2fe1b13abc11a5f7842ef67894557c5c880d92c283d5eeeb568cb7bde88aea240826eaaa3a43a925619f0485d462833

Download Submit
\Users\Admin\AppData\Local\Temp\DEM146B.exe

Filesize
13KB

MD5
19fa380fad45232546b96bf0c5c4330d

SHA1
2b1f601bf5f396c56225cebd87408670e4143ba0

SHA256
6fdf7f55d360cb7b0a65e6583f3cf85b0578a52da12478c412a2fcfadf6d2ff3

SHA512
4c1480fce32158e77f64a0cc385c762f9eb962818a2def42aad08327d3d984795a310ea9407b6386648080cde48dfed33a4dea672ed6b24c740b7f9577603a9a

Download Submit
\Users\Admin\AppData\Local\Temp\DEM69DA.exe

Filesize
14KB

MD5
c848df998e628c394f751986b0ee30aa

SHA1
552b6ea50d6a4a9d395628b364a70aa03410389f

SHA256
282f1221686a9a9652cad2c114eeab4bc728f0da1f857a0e687d432bfdf1e04a

SHA512
9bad22e5d205ac6925a237c9b5e83fc3558c559d4fbbbfcfc42ef24cb8dd119884b24215270946cbb309f16b2866d622e1a4bebb2069dc29e722f2eb176ddee2

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBF3A.exe

Filesize
13KB

MD5
53a9aa50e8615790832d5c8c30b3a927

SHA1
411e6fd35d8819362dae25ad68f64dab364c54eb

SHA256
0ae0319f715bd44e3516f8715a03acc0cc99c934ad8e6b2141dc8e58a1074712

SHA512
ce8a471eb45a5aa993a7cea2541c632107374f9d86c2a2a71776e78861ddd4fbaae5c8a9ad229142ec37e70551a7d4f6ff492c8536ca9548e0449bf99c5071b7

Download Submit

Analysis

Sharing