f612a2e3dbdead0477781c3f2c023e8cfe370330b992883a6c685240ac2310f5

General

Target

3d46c4ed1007077d5e75d0f8ffe44199.exe
Size

16KB
MD5

3d46c4ed1007077d5e75d0f8ffe44199
SHA1

6c2c2d08e0a7e6a8f6238af3ad39e2a5d7b84d76
SHA256

f612a2e3dbdead0477781c3f2c023e8cfe370330b992883a6c685240ac2310f5
SHA512

7b460764a4014545b7b79ff17555fc8dc438e15ab0315b526b880be985856e4fd6ad5d52014be056ea3e9bcf0cee2ddd2d99f2b1b96a940b16d5d7515c93815b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlu3hn:hDXWipuE+K3/SSHgxmlu3hn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2936	DEM447F.exe
2456	DEM9AC9.exe
2812	DEMEFEA.exe
320	DEM4624.exe
576	DEM9BB3.exe
2376	DEMF113.exe

Loads dropped DLL 6 IoCs

pid	Process
1888	3d46c4ed1007077d5e75d0f8ffe44199.exe
2936	DEM447F.exe
2456	DEM9AC9.exe
2812	DEMEFEA.exe
320	DEM4624.exe
576	DEM9BB3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2936	1888	3d46c4ed1007077d5e75d0f8ffe44199.exe	29
PID 1888 wrote to memory of 2936	1888	3d46c4ed1007077d5e75d0f8ffe44199.exe	29
PID 1888 wrote to memory of 2936	1888	3d46c4ed1007077d5e75d0f8ffe44199.exe	29
PID 1888 wrote to memory of 2936	1888	3d46c4ed1007077d5e75d0f8ffe44199.exe	29
PID 2936 wrote to memory of 2456	2936	DEM447F.exe	33
PID 2936 wrote to memory of 2456	2936	DEM447F.exe	33
PID 2936 wrote to memory of 2456	2936	DEM447F.exe	33
PID 2936 wrote to memory of 2456	2936	DEM447F.exe	33
PID 2456 wrote to memory of 2812	2456	DEM9AC9.exe	35
PID 2456 wrote to memory of 2812	2456	DEM9AC9.exe	35
PID 2456 wrote to memory of 2812	2456	DEM9AC9.exe	35
PID 2456 wrote to memory of 2812	2456	DEM9AC9.exe	35
PID 2812 wrote to memory of 320	2812	DEMEFEA.exe	37
PID 2812 wrote to memory of 320	2812	DEMEFEA.exe	37
PID 2812 wrote to memory of 320	2812	DEMEFEA.exe	37
PID 2812 wrote to memory of 320	2812	DEMEFEA.exe	37
PID 320 wrote to memory of 576	320	DEM4624.exe	39
PID 320 wrote to memory of 576	320	DEM4624.exe	39
PID 320 wrote to memory of 576	320	DEM4624.exe	39
PID 320 wrote to memory of 576	320	DEM4624.exe	39
PID 576 wrote to memory of 2376	576	DEM9BB3.exe	41
PID 576 wrote to memory of 2376	576	DEM9BB3.exe	41
PID 576 wrote to memory of 2376	576	DEM9BB3.exe	41
PID 576 wrote to memory of 2376	576	DEM9BB3.exe	41

C:\Users\Admin\AppData\Local\Temp\3d46c4ed1007077d5e75d0f8ffe44199.exe
"C:\Users\Admin\AppData\Local\Temp\3d46c4ed1007077d5e75d0f8ffe44199.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\DEM447F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM447F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\DEM9AC9.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9AC9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMEFEA.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\DEM4624.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4624.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Users\Admin\AppData\Local\Temp\DEM9BB3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9BB3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\DEMF113.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF113.exe"
        7⤵
        Executes dropped EXE
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM9AC9.exe

Filesize
16KB

MD5
7bfd9edcb541d41549e849cfa8d561ce

SHA1
80af57ccf7ea409a587c1d97dc3d10855349e5ca

SHA256
a388473f58f24dedf10618b9cc9ac218fc8aec3b0a0b4e26e5a47d1266cffd77

SHA512
ac90ed05b05c31c277f128d3dba60e1410c5f4347491a7e8bfb861373cae3220a9c6dd275c645d44903a0fea7ce830269203d85531d88b8d6ab1c0a59616cf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9BB3.exe

Filesize
16KB

MD5
dd38af2eb58915d2b985c42ec1546c55

SHA1
2d2c86ccb6e9381f850258134e7956313d2ff73a

SHA256
1f6f9458ff313e72227fbe85737b0156659329ab7aa44a15986375662c630afa

SHA512
56e2953d24923f4d4ed5094f6d22707cbbc6911890544575955a87ca370c37af9577c656513f74d1e722dcb584be130f31761320d1f35dd195cb4545a764ad34

Download Submit
\Users\Admin\AppData\Local\Temp\DEM447F.exe

Filesize
16KB

MD5
526dd4ad3122cadaf35917ff9ba200ed

SHA1
3631c73667fc84eb68f58f80f1ff05aa81e5f912

SHA256
5a9023234a5c084da5fc69f3940d3f46059c124aedc5f7b28a8491e3cd69ceba

SHA512
4955e52786ac13210fa174e4cbade83de932968eb5ed477828947cf1915650bbab4f07f7bc1b8e5ca92407aec6f82cee378288c923bb636204f41a0eee551b74

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4624.exe

Filesize
16KB

MD5
e3c0e7b7d0e7dde25c48224ecbfa7647

SHA1
af4f145cb50ec6670da219080669dba5a3ea87b6

SHA256
8c0e1e2be43ae9ae008d062e0b56da46de612657001245d568b49566566226e5

SHA512
5c38e5eb0d13b2ca1ca95de0d53a887f723efc973fec2aabeb2cb7f30861da8b9b6aab1254249e3bc634048aeec5be31d4bbc816387c718b8dea89e8d36f6a72

Download Submit
\Users\Admin\AppData\Local\Temp\DEMEFEA.exe

Filesize
16KB

MD5
fe1871ec6b6713b2f3c1fd645fdbf99f

SHA1
8c41184dca2b2937ae5d9ae715ac1f545910cb2c

SHA256
dfb9e2a7096b2f29f3912cf74c51861264020950beeac0899acc0b0f8378902b

SHA512
e609c154b1f480c9fcf4e147941834ab8b090fc778cc8ef24c24b50f992ac6aeb98f4886dcc4555c2211790c137018b84da4426560adae75beb167fb588538f7

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF113.exe

Filesize
16KB

MD5
7c1f3708957e4ac7bc6274c0c395db83

SHA1
00ccaec3a7597ee8479a7a2181a25fea12c29208

SHA256
7c65912b0686753fefcab72f37bfd8d4809fffb2c78e87982841f245c99d70eb

SHA512
8d69406d8c7a3b94f02e8a43838ead5191572bc417f371fa014f09e6d7dd0ffdef002d5387d630964a379fe47a92a762d8292fb7b899bf9b5505d9058d5c382d

Download Submit

Analysis

Sharing