d1433959435bc3273944aab4444973dfa20703d0c0a00584ffee0d830dc525d7

General

Target

3d93982481894e73013a004aedd2e1db.exe
Size

15KB
MD5

3d93982481894e73013a004aedd2e1db
SHA1

3d1e920b3e08f1c2bf90b652baccb9a096c7735d
SHA256

d1433959435bc3273944aab4444973dfa20703d0c0a00584ffee0d830dc525d7
SHA512

a6e1aefc4fa53a202f804915e443ecc9a3c85317cf6966ccca001996864f810b98256e4eb0526bd86ea1be1d0c2cc6c5c0cf86e5c2f07d7499f842cb998a5b3f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2H442z:hDXWipuE+K3/SSHgxmKEYf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2584	DEMC236.exe
800	DEM1842.exe
2324	DEM6DA1.exe
1248	DEMC301.exe
2232	DEM1880.exe
1980	DEM559F.exe

Loads dropped DLL 6 IoCs

pid	Process
2704	3d93982481894e73013a004aedd2e1db.exe
2584	DEMC236.exe
800	DEM1842.exe
2324	DEM6DA1.exe
1248	DEMC301.exe
2232	DEM1880.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2584	2704	3d93982481894e73013a004aedd2e1db.exe	30
PID 2704 wrote to memory of 2584	2704	3d93982481894e73013a004aedd2e1db.exe	30
PID 2704 wrote to memory of 2584	2704	3d93982481894e73013a004aedd2e1db.exe	30
PID 2704 wrote to memory of 2584	2704	3d93982481894e73013a004aedd2e1db.exe	30
PID 2584 wrote to memory of 800	2584	DEMC236.exe	32
PID 2584 wrote to memory of 800	2584	DEMC236.exe	32
PID 2584 wrote to memory of 800	2584	DEMC236.exe	32
PID 2584 wrote to memory of 800	2584	DEMC236.exe	32
PID 800 wrote to memory of 2324	800	DEM1842.exe	34
PID 800 wrote to memory of 2324	800	DEM1842.exe	34
PID 800 wrote to memory of 2324	800	DEM1842.exe	34
PID 800 wrote to memory of 2324	800	DEM1842.exe	34
PID 2324 wrote to memory of 1248	2324	DEM6DA1.exe	36
PID 2324 wrote to memory of 1248	2324	DEM6DA1.exe	36
PID 2324 wrote to memory of 1248	2324	DEM6DA1.exe	36
PID 2324 wrote to memory of 1248	2324	DEM6DA1.exe	36
PID 1248 wrote to memory of 2232	1248	DEMC301.exe	38
PID 1248 wrote to memory of 2232	1248	DEMC301.exe	38
PID 1248 wrote to memory of 2232	1248	DEMC301.exe	38
PID 1248 wrote to memory of 2232	1248	DEMC301.exe	38
PID 2232 wrote to memory of 1980	2232	DEM1880.exe	40
PID 2232 wrote to memory of 1980	2232	DEM1880.exe	40
PID 2232 wrote to memory of 1980	2232	DEM1880.exe	40
PID 2232 wrote to memory of 1980	2232	DEM1880.exe	40

C:\Users\Admin\AppData\Local\Temp\3d93982481894e73013a004aedd2e1db.exe
"C:\Users\Admin\AppData\Local\Temp\3d93982481894e73013a004aedd2e1db.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\DEMC236.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMC236.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DEM1842.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM1842.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\DEM6DA1.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6DA1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\DEMC301.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC301.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Users\Admin\AppData\Local\Temp\DEM1880.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1880.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\DEM559F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM559F.exe"
        7⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\DEMABBA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMABBA.exe"
        8⤵
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1842.exe

Filesize
15KB

MD5
6f62670d65bec3743311415cdbe8dc74

SHA1
b027afbd5f3bade2ea0a91dad5579a9eb20ac5e3

SHA256
7fa2ba137a098004e26e1b628168f17856b7801f9be1e2d1a61bbe4b3c5f7b2d

SHA512
c31d647bc5d2ec218b639c831a2a8f216031f7005deebfdd45b7ee9f242e17400c9df6d6ba75092afc7c63b6d2f3c9ae8a6a9dea87e40a4b8ebc037f5cb36706

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM1880.exe

Filesize
15KB

MD5
400e306384d53fcd1bdda2fa98daefda

SHA1
3053795172acde7aaca842ee00b03abbf225b1c3

SHA256
40bd8079f84a911290617c2e035bc43872e6b2c4eba5e20f211ed56dcf3bcf1e

SHA512
313ae8024cbaaffa7a54aca8947dfe7f7b6965f66545a5bcea0de07db564437810773f7e15b9703750d34cf038e5fa665ce2f663b8c22bb8b56b642bcb406cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM6DA1.exe

Filesize
15KB

MD5
42d0109bc6fba05b0d0aba0bad0d3936

SHA1
a39d0c1e22cc42d6dbc6ec2a3d8ebd9e32d36132

SHA256
1bb4bc1e61922e63e7b9ac2240d61bc5de7bbe43961812ef3bafe139211eb614

SHA512
53483446ccb28ab4fbb61061914aa14b6dabb38cfbeffdfd39baefefba5dd068d84314f0c2ff5f2f0618497f855b6e94b36b7849e5e0007796df218d3b3f2b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMABBA.exe

Filesize
15KB

MD5
c36385cc0f7f9627fc3761a831cbd68b

SHA1
b98a7540769a3d9c7a6f188d83b6598cca195e27

SHA256
73c64ff75bdc63b7785e97c1c81d5469c5771d0b9dd196136a294e0bf4fa90cb

SHA512
cad29bfba926881954ce56e1309a83cb5311d2ddec1a9f5a9d8200893133f0529e64f391a9d11008531d37461d65971d2fba4841706acaf23ce6f9db5d577459

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC301.exe

Filesize
15KB

MD5
87aab953f24c0542bf277f3ec663fc04

SHA1
220ed02af7605e0c90bcbff748ad3aba73ad398a

SHA256
25dc75323294157d0878cf3edc90f7b6ba0bdffc76a23551d1c4b8aadf7cafea

SHA512
be3feccd63d07b86c357b186dedb999056eb0b3b92b4093f087df539ff521fc410882ef5b4a46829fac152113c9f6064ea935ef6d9f3addb59d6ed78bb6b75c3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM559F.exe

Filesize
15KB

MD5
1736f7988d26ade9494411bc6df9e862

SHA1
e02d00f7995dfd2e0ee4f4267e25cb5328822a13

SHA256
a06fbdc32c123913502ae1450cc902e293a29a5751c246868e46bb1e5a96c39e

SHA512
2dfa184bcf385af60255a4a4fd824da0958244e8e35aa288778afc59fb8e4b9a32c7ea3b928e4757b77bebe7c3ce10e2163eac3f860a4585ee8299bed0057c68

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC236.exe

Filesize
15KB

MD5
799f09c5e51a3be2f9207b5e6abd1867

SHA1
c4f9d8b2f0f66c1d72cc7ba4e5afaeff4f991e23

SHA256
6d15ff71db71e638d272240c9933e746170d8eff720534c521bb9580e8b48b30

SHA512
2a1b257c97258b7c3f415c5c5df749d40526c74e83656a5050f284acea149c6f7a3061342f9313a42fd1501d85c916f8b11e9f66c025f486a6e79703e3171294

Download Submit

Analysis

Sharing