c2274f5295ba76fdda51f479c9713a0c7985f21db4dfcc36cb84f7b4f94f5310

General

Target

3f41eeab7ce2e649cc2daf91d56d32a0.exe
Size

15KB
MD5

3f41eeab7ce2e649cc2daf91d56d32a0
SHA1

590ae145dfc7c7edd3f9838125edc0465c11f5cd
SHA256

c2274f5295ba76fdda51f479c9713a0c7985f21db4dfcc36cb84f7b4f94f5310
SHA512

9b051f6c1fbef11b4fd30ef2eb38290af4c11dff362cb3b758aa6814f1804789d44d6332bc20109897527131d1bf020a748908ba062f189982632c9d7f38dd78
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8QC:hDXWipuE+K3/SSHgxm8l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2788	DEM58C.exe
2756	DEM5A9E.exe
1364	DEMAF91.exe
1940	DEM4D1.exe
1560	DEM59D3.exe
2872	DEMAFDF.exe

Loads dropped DLL 6 IoCs

pid	Process
1684	3f41eeab7ce2e649cc2daf91d56d32a0.exe
2788	DEM58C.exe
2756	DEM5A9E.exe
1364	DEMAF91.exe
1940	DEM4D1.exe
1560	DEM59D3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2788	1684	3f41eeab7ce2e649cc2daf91d56d32a0.exe	29
PID 1684 wrote to memory of 2788	1684	3f41eeab7ce2e649cc2daf91d56d32a0.exe	29
PID 1684 wrote to memory of 2788	1684	3f41eeab7ce2e649cc2daf91d56d32a0.exe	29
PID 1684 wrote to memory of 2788	1684	3f41eeab7ce2e649cc2daf91d56d32a0.exe	29
PID 2788 wrote to memory of 2756	2788	DEM58C.exe	32
PID 2788 wrote to memory of 2756	2788	DEM58C.exe	32
PID 2788 wrote to memory of 2756	2788	DEM58C.exe	32
PID 2788 wrote to memory of 2756	2788	DEM58C.exe	32
PID 2756 wrote to memory of 1364	2756	DEM5A9E.exe	35
PID 2756 wrote to memory of 1364	2756	DEM5A9E.exe	35
PID 2756 wrote to memory of 1364	2756	DEM5A9E.exe	35
PID 2756 wrote to memory of 1364	2756	DEM5A9E.exe	35
PID 1364 wrote to memory of 1940	1364	DEMAF91.exe	37
PID 1364 wrote to memory of 1940	1364	DEMAF91.exe	37
PID 1364 wrote to memory of 1940	1364	DEMAF91.exe	37
PID 1364 wrote to memory of 1940	1364	DEMAF91.exe	37
PID 1940 wrote to memory of 1560	1940	DEM4D1.exe	39
PID 1940 wrote to memory of 1560	1940	DEM4D1.exe	39
PID 1940 wrote to memory of 1560	1940	DEM4D1.exe	39
PID 1940 wrote to memory of 1560	1940	DEM4D1.exe	39
PID 1560 wrote to memory of 2872	1560	DEM59D3.exe	41
PID 1560 wrote to memory of 2872	1560	DEM59D3.exe	41
PID 1560 wrote to memory of 2872	1560	DEM59D3.exe	41
PID 1560 wrote to memory of 2872	1560	DEM59D3.exe	41

C:\Users\Admin\AppData\Local\Temp\3f41eeab7ce2e649cc2daf91d56d32a0.exe
"C:\Users\Admin\AppData\Local\Temp\3f41eeab7ce2e649cc2daf91d56d32a0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\DEM58C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM58C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\DEMAF91.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMAF91.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\DEM4D1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4D1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\DEM59D3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59D3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\DEMAFDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFDF.exe"
        7⤵
        Executes dropped EXE
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM58C.exe

Filesize
15KB

MD5
0454244aa977630d01be36e038e3150e

SHA1
1dec25deef966357a172410723750221dbcd0f1a

SHA256
d29a2efc1599a830d22a004972e73a4782e9fc5d7c6dccc2a2b371ca01143fc9

SHA512
13bfdb7293b8115afdde9de20868265cbda9f32d1fa9110b37f4eea3171f030e223bb68f52b61e6f3659cd2ba57f637131faae53267a959c46e7e1a752415ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5A9E.exe

Filesize
15KB

MD5
23f2eab2704a6f44fbf59c366ff5b782

SHA1
4db460abaa85cbeed40d81ad78485bd72b13ca3c

SHA256
721d34528e4556fa5c215e4c8dbaf6495bb6cfe0cc28ee945db7180d3960b885

SHA512
b09efa9351c1c9c94281a73a5e91517e6003655eeaf5af5be71c05b757ff133beda47f4cb2c85810b1da2af5db2e8b727c24fea94e873c06fd18dd08019470bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4D1.exe

Filesize
15KB

MD5
cf5e99a11c7dabcfe11c17e3368868c1

SHA1
d363b35718585c3d8131ef4e82be71b07fc2333c

SHA256
f430c31519f662b2d06b40c123212030c64bc13e4f5bfa9ec23af94135dd1147

SHA512
bc798376bb52c25a8c8a645d401303c4ac02771fa0c1f5b0d4bd48d7a49eb83ef6e62bd70d97e65d4b4ff302831bf41da49ebe592f01069922a5cdd6c1b683a9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM59D3.exe

Filesize
15KB

MD5
0ec5242aab4adbd3b07a14c733784151

SHA1
cc5e3734310095fa8eb8590004ea3d7f79917f2a

SHA256
4e389604fd264e83b1611c15a08a4d288639a748a8c85ead618e15365ba18aeb

SHA512
a7cfb5e5c9cee48d2266a6ed26a3a14f880b6411a3df9099e431167889fcdc9caf46619bf4daaff4dd3141da77e6aef508fa9143a87f657f616dcb3b8734f765

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAF91.exe

Filesize
15KB

MD5
a3192f81d92371405ec89430d6f66bd1

SHA1
4d85723689b0cf118a1fdf8d8496c09c94fa0a4a

SHA256
530a022a41b9fb7b34d6f391c661eb90ff8d148810b19a7e424cab56fe7a1964

SHA512
1b64013380fea98e2d115855b13ec6b8a0b76bad4b65549225182771a30b57def990304a740e4391241095dd15691013a357c509bf9e63f1432797958bd543fa

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFDF.exe

Filesize
15KB

MD5
2c15d8c391528848e2321788ff41cd8c

SHA1
2b0584ad16a1733e79b2dbff4367b6e0af28fd32

SHA256
c30a15f06d162b0434626f22e4861e05ebdc225de4d5de778c5ac9577da06b99

SHA512
41d5c7b6435ec70ce43d40f10e710a8e5424e8fb8ab4de9ec74bda7384311819331a053d502770dbc81f0eb72f4376a1c4186981af42eac8574d8992ea279969

Download Submit

Analysis

Sharing