0b489312b26ae35fafa84fca90e3be2a806c1e33045e24a3fa9840de2d675259

General

Target

4247212c4efcaa57ebb70e02b6472867.exe
Size

15KB
MD5

4247212c4efcaa57ebb70e02b6472867
SHA1

632de8be2b025da10cafb90ef8ee383d27cda937
SHA256

0b489312b26ae35fafa84fca90e3be2a806c1e33045e24a3fa9840de2d675259
SHA512

5b770cc69132d23f1ffc296ec7f19a1ba3e446d0adf3642b0c4190f12a92061d32f93e7d9718d2c65dba339b30700792a1ef3c0299815a1f3e8a66c2d1f6a602
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4EHy:hDXWipuE+K3/SSHgxmq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2692	DEM385F.exe
2636	DEM8FC1.exe
2932	DEME60B.exe
1368	DEM3C74.exe
980	DEM92BE.exe
1768	DEME927.exe

Loads dropped DLL 6 IoCs

pid	Process
2172	4247212c4efcaa57ebb70e02b6472867.exe
2692	DEM385F.exe
2636	DEM8FC1.exe
2932	DEME60B.exe
1368	DEM3C74.exe
980	DEM92BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2692	2172	4247212c4efcaa57ebb70e02b6472867.exe	29
PID 2172 wrote to memory of 2692	2172	4247212c4efcaa57ebb70e02b6472867.exe	29
PID 2172 wrote to memory of 2692	2172	4247212c4efcaa57ebb70e02b6472867.exe	29
PID 2172 wrote to memory of 2692	2172	4247212c4efcaa57ebb70e02b6472867.exe	29
PID 2692 wrote to memory of 2636	2692	DEM385F.exe	33
PID 2692 wrote to memory of 2636	2692	DEM385F.exe	33
PID 2692 wrote to memory of 2636	2692	DEM385F.exe	33
PID 2692 wrote to memory of 2636	2692	DEM385F.exe	33
PID 2636 wrote to memory of 2932	2636	DEM8FC1.exe	35
PID 2636 wrote to memory of 2932	2636	DEM8FC1.exe	35
PID 2636 wrote to memory of 2932	2636	DEM8FC1.exe	35
PID 2636 wrote to memory of 2932	2636	DEM8FC1.exe	35
PID 2932 wrote to memory of 1368	2932	DEME60B.exe	37
PID 2932 wrote to memory of 1368	2932	DEME60B.exe	37
PID 2932 wrote to memory of 1368	2932	DEME60B.exe	37
PID 2932 wrote to memory of 1368	2932	DEME60B.exe	37
PID 1368 wrote to memory of 980	1368	DEM3C74.exe	39
PID 1368 wrote to memory of 980	1368	DEM3C74.exe	39
PID 1368 wrote to memory of 980	1368	DEM3C74.exe	39
PID 1368 wrote to memory of 980	1368	DEM3C74.exe	39
PID 980 wrote to memory of 1768	980	DEM92BE.exe	41
PID 980 wrote to memory of 1768	980	DEM92BE.exe	41
PID 980 wrote to memory of 1768	980	DEM92BE.exe	41
PID 980 wrote to memory of 1768	980	DEM92BE.exe	41

C:\Users\Admin\AppData\Local\Temp\4247212c4efcaa57ebb70e02b6472867.exe
"C:\Users\Admin\AppData\Local\Temp\4247212c4efcaa57ebb70e02b6472867.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\DEM385F.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM385F.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\DEME60B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEME60B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\DEM3C74.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM3C74.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM92BE.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\DEME927.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEME927.exe"
        7⤵
        Executes dropped EXE
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM8FC1.exe

Filesize
15KB

MD5
1dcb79b3aa1841aef5db556498deeb69

SHA1
7ec40f294eb436335507298d327af1d91ef6deca

SHA256
e94c48ed6fe5a6e28fe4d0d5e04c518def26c13c3e261f451f989cf8a3f772ed

SHA512
2d1e61aedb4bea5df6a9b84a0704e4bfa2cadb8392c0ca7ae5c7ae58cb6321a6e60658b043b32ed5129fc12ee44a9fb6fbb7e61a9391e7b95af247fd53658e88

Download Submit
\Users\Admin\AppData\Local\Temp\DEM385F.exe

Filesize
15KB

MD5
7a15a119b8f89aff1eb16f2ae79d70df

SHA1
91cbbe559bd1bfcfbe16df2a98ccc0021161e5d7

SHA256
933c5ac0f2c69443afb5872f8225c2f0531caa4e247c3246c7047ebcad25b79c

SHA512
2c91bca08a533842167aea1c5fbc880b2c3eae7af139966454cc261ea07806e31fcbb5d521d70c48b0dc2ffdb3929212b065c43c18144e2c0d101b251a958ad4

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3C74.exe

Filesize
15KB

MD5
a4c48e0972726e24b211ae9e72964db9

SHA1
966a8b77423175de3a2880b6bce4e0dc5742ead8

SHA256
45624c2122bcc9eb7a518212a2b521bed853d9f8c145c36456b56ab53fff9bc2

SHA512
6668cf5b902b3dabab994fa0aaf8319933d773039dd8fb5236dfd964ed27e3c1b5f41863bb30096ff31e15baf6d38967726ed8074b1a0f4cf5bf62a7bc29e7dd

Download Submit
\Users\Admin\AppData\Local\Temp\DEM92BE.exe

Filesize
15KB

MD5
0f4ee275ff1313e956faa3bdf8c8ed48

SHA1
4f256c2a9fcca1b98f68b96a829a8afef00219c5

SHA256
b6ec228f2d9e5260b6612ae06eebd8b33f7626e14483864738b7e9c45e43b12f

SHA512
f14df812c962a52acb175f06dfde2488804ddd53dab77c228c5dd461c86653534406ce3aeb88b39da42345cb3b3d7008342aeeb0e15cac77707c86769d89f23d

Download Submit
\Users\Admin\AppData\Local\Temp\DEME60B.exe

Filesize
15KB

MD5
9f1d1a4d79dacddbfdbd91687f9db962

SHA1
1955a032c7b97edbeb6dabbeec80843970094e20

SHA256
c55e9ebce7b7544324a285ef4058dce8527f297d46816f3047a09c4135a790e8

SHA512
02bfea124cb00471931fe8c09e9cfb8f0e4aca79f70b7850123d2aa42ef4114cf53324bb451df19cff04b876ec5f8822dc5f8a1314bff9ff0dd2bddb541ff56a

Download Submit
\Users\Admin\AppData\Local\Temp\DEME927.exe

Filesize
15KB

MD5
70ae140cf41ee03ec6f1af279a571d3a

SHA1
58afe1b4841d00904e70bad80660b0c0af5b0376

SHA256
ef548a708d0d393ec766ac77dce5fc3be6a0737082163e537239dbca3f57956c

SHA512
2a52c172b61ee8771abec5890a7fc8377a9fd34612d3c4c6929f11a2c7594848168066919bbd9d8beba74b2187799768494c6e7d288fd1f133082c53b5365936

Download Submit

Analysis

Sharing