230cde00ef107d5ea7dbe60c89f742704bae4bf02f5676d09b19468993485d7d

General

Target

40e5826f12390c3a64a8b1d3bd7e6e83.exe
Size

14KB
MD5

40e5826f12390c3a64a8b1d3bd7e6e83
SHA1

c3b8c74e3b4526047afe22a278ac24b934bdb2f6
SHA256

230cde00ef107d5ea7dbe60c89f742704bae4bf02f5676d09b19468993485d7d
SHA512

60249e11bb853556afe4976092e6a808faecfd0c0dd4e63fc990005532803947b5a05b783e5b545fad4c2ac31d4cc9c19cddd65af89cf9b8607b6f8a8339b455
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/TyB:hDXWipuE+K3/SSHgxm/TK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2752	DEM191C.exe
2724	DEM6F37.exe
1228	DEMC504.exe
764	DEM1A35.exe
2988	DEM6F85.exe
1996	DEMC505.exe

Loads dropped DLL 6 IoCs

pid	Process
1936	40e5826f12390c3a64a8b1d3bd7e6e83.exe
2752	DEM191C.exe
2724	DEM6F37.exe
1228	DEMC504.exe
764	DEM1A35.exe
2988	DEM6F85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2752	1936	40e5826f12390c3a64a8b1d3bd7e6e83.exe	29
PID 1936 wrote to memory of 2752	1936	40e5826f12390c3a64a8b1d3bd7e6e83.exe	29
PID 1936 wrote to memory of 2752	1936	40e5826f12390c3a64a8b1d3bd7e6e83.exe	29
PID 1936 wrote to memory of 2752	1936	40e5826f12390c3a64a8b1d3bd7e6e83.exe	29
PID 2752 wrote to memory of 2724	2752	DEM191C.exe	31
PID 2752 wrote to memory of 2724	2752	DEM191C.exe	31
PID 2752 wrote to memory of 2724	2752	DEM191C.exe	31
PID 2752 wrote to memory of 2724	2752	DEM191C.exe	31
PID 2724 wrote to memory of 1228	2724	DEM6F37.exe	35
PID 2724 wrote to memory of 1228	2724	DEM6F37.exe	35
PID 2724 wrote to memory of 1228	2724	DEM6F37.exe	35
PID 2724 wrote to memory of 1228	2724	DEM6F37.exe	35
PID 1228 wrote to memory of 764	1228	DEMC504.exe	37
PID 1228 wrote to memory of 764	1228	DEMC504.exe	37
PID 1228 wrote to memory of 764	1228	DEMC504.exe	37
PID 1228 wrote to memory of 764	1228	DEMC504.exe	37
PID 764 wrote to memory of 2988	764	DEM1A35.exe	40
PID 764 wrote to memory of 2988	764	DEM1A35.exe	40
PID 764 wrote to memory of 2988	764	DEM1A35.exe	40
PID 764 wrote to memory of 2988	764	DEM1A35.exe	40
PID 2988 wrote to memory of 1996	2988	DEM6F85.exe	41
PID 2988 wrote to memory of 1996	2988	DEM6F85.exe	41
PID 2988 wrote to memory of 1996	2988	DEM6F85.exe	41
PID 2988 wrote to memory of 1996	2988	DEM6F85.exe	41

C:\Users\Admin\AppData\Local\Temp\40e5826f12390c3a64a8b1d3bd7e6e83.exe
"C:\Users\Admin\AppData\Local\Temp\40e5826f12390c3a64a8b1d3bd7e6e83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\DEM191C.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM191C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\DEM6F37.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6F37.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEMC504.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC504.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM1A35.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\DEM6F85.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6F85.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\DEMC505.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMC505.exe"
        7⤵
        Executes dropped EXE
        
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6F37.exe

Filesize
14KB

MD5
ea4d5fa91e70842251101e3de534dc76

SHA1
f59d221bfa6d3f569275cb03a173f59a959164fa

SHA256
bb900de33d2c3a718ad3e4fe045191170fba11c97495dacc16e470ac4b8daff9

SHA512
a8c90d05961a9f7f7bba7b9153dff5c86207b67d66ea2efdecd8decac0dca3aca9e56172b5c41a8bdfe8d7d195c6b6e5ec61b2938057160fa2e9f0a695d0af7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC505.exe

Filesize
14KB

MD5
6a129937edb53696c121c11db6e5039a

SHA1
774c7ffa8acb4947faa34071332381e4b0ec2760

SHA256
fc007604baa6a5d43d1783fd84f2cdf71eda996c845b661c5920eff644d5764e

SHA512
fec47185f5b7ce8a3fb2ea55321d20ccbe6a8cc2b8c52587ebb269694c68e52b6c2d810b5e057f1f4d8221c91929dcb0f1e8f5a8429fea1d8054ab586bf53de3

Download Submit
\Users\Admin\AppData\Local\Temp\DEM191C.exe

Filesize
14KB

MD5
f073def675949ed196c7fcfbe3536b40

SHA1
cab272efc332d3705975e925d808d873b27984ef

SHA256
d83d0066676174eb7a28acf670d54eefb37e3b02d577256540a5fea193f81acb

SHA512
81c489ceda98c1d3a3e599e18b70b967c60ac28bf6c8846400d834b7882a7cdb7d2d2ea111eea443ef59b7bf739870317572c45339d67f5fc201735a4bb07c0d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1A35.exe

Filesize
14KB

MD5
245b9325563a75bae8cd1378dcc638b4

SHA1
9332e60c77252259d244db1c8381301416e3ab80

SHA256
c2c685c8813601c101a4e06b3f99e3f515253ef0fd5bfc224e0b0fae05e12a17

SHA512
95b5fe4846d7cd0144b7767c5e9cc56650aceb3890e4d7c2e9221bb4940211cc44cdc51bb8b289efd311e141c3a5629d35206a2c7d1c2083e0675b83a1b9c186

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6F85.exe

Filesize
14KB

MD5
43f0b828e4255ac9b576a191df14a1b1

SHA1
40c4ed69d33a958b4b7ec8b26b4d980e32d1d5d2

SHA256
13ad64edc4cf0057f31cefa219e3c246ea782e3c784ac1a7c10a9a861003b08f

SHA512
46bd98f24a3ef5c2d1ef740997192bf507ac0a7e459591521717e2436600c9d1583f41fce6a1f9aff9f49d8f85fb3e5e7e0ffa0f13382d80cc1360088a507e90

Download Submit
\Users\Admin\AppData\Local\Temp\DEMC504.exe

Filesize
14KB

MD5
08e6a3a2c2844ddb019d5da2935497b2

SHA1
a8b85ffb3ad30e34c312886138215187a3c16b07

SHA256
71ad031fd1e203c9ca759730e994aaf51a3281e3776710233e13da3c90fd8bf7

SHA512
1fa6c361f93d97bd513f13fc705def864631c7cf37fac039cb8a6b13784a7ff322087c229b232e48858396ced441d0eac43c689d3b88baa19333cd6cc6952ad3

Download Submit

Analysis

Sharing