4152543546fad4c3bb4568ae73ed78acf60320a9aad0c34de0e76d98a2596a61

General

Target

4326e68a23492b8df29f83a39d870c87.exe
Size

14KB
MD5

4326e68a23492b8df29f83a39d870c87
SHA1

4b333daec77d709e09fb676d4d0e401e2b53c63d
SHA256

4152543546fad4c3bb4568ae73ed78acf60320a9aad0c34de0e76d98a2596a61
SHA512

87a3ba34a79c7e230a0529f93e79beb2460fcd707a8d1567d4b7545095dd9a994215f9441a19d83da9928edaf0f4396365bec76f7eefc655e775a612fc73dd45
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/Tyk:hDXWipuE+K3/SSHgxm/TT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2780	DEM5679.exe
2168	DEMAD40.exe
992	DEM399.exe
1180	DEM59F3.exe
1096	DEMAFDF.exe
2456	DEM5AC.exe

Loads dropped DLL 6 IoCs

pid	Process
2224	4326e68a23492b8df29f83a39d870c87.exe
2780	DEM5679.exe
2168	DEMAD40.exe
992	DEM399.exe
1180	DEM59F3.exe
1096	DEMAFDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2780	2224	4326e68a23492b8df29f83a39d870c87.exe	29
PID 2224 wrote to memory of 2780	2224	4326e68a23492b8df29f83a39d870c87.exe	29
PID 2224 wrote to memory of 2780	2224	4326e68a23492b8df29f83a39d870c87.exe	29
PID 2224 wrote to memory of 2780	2224	4326e68a23492b8df29f83a39d870c87.exe	29
PID 2780 wrote to memory of 2168	2780	DEM5679.exe	33
PID 2780 wrote to memory of 2168	2780	DEM5679.exe	33
PID 2780 wrote to memory of 2168	2780	DEM5679.exe	33
PID 2780 wrote to memory of 2168	2780	DEM5679.exe	33
PID 2168 wrote to memory of 992	2168	DEMAD40.exe	35
PID 2168 wrote to memory of 992	2168	DEMAD40.exe	35
PID 2168 wrote to memory of 992	2168	DEMAD40.exe	35
PID 2168 wrote to memory of 992	2168	DEMAD40.exe	35
PID 992 wrote to memory of 1180	992	DEM399.exe	37
PID 992 wrote to memory of 1180	992	DEM399.exe	37
PID 992 wrote to memory of 1180	992	DEM399.exe	37
PID 992 wrote to memory of 1180	992	DEM399.exe	37
PID 1180 wrote to memory of 1096	1180	DEM59F3.exe	39
PID 1180 wrote to memory of 1096	1180	DEM59F3.exe	39
PID 1180 wrote to memory of 1096	1180	DEM59F3.exe	39
PID 1180 wrote to memory of 1096	1180	DEM59F3.exe	39
PID 1096 wrote to memory of 2456	1096	DEMAFDF.exe	41
PID 1096 wrote to memory of 2456	1096	DEMAFDF.exe	41
PID 1096 wrote to memory of 2456	1096	DEMAFDF.exe	41
PID 1096 wrote to memory of 2456	1096	DEMAFDF.exe	41

C:\Users\Admin\AppData\Local\Temp\4326e68a23492b8df29f83a39d870c87.exe
"C:\Users\Admin\AppData\Local\Temp\4326e68a23492b8df29f83a39d870c87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\DEM5679.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM5679.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\DEMAD40.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMAD40.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\DEM399.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM399.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Local\Temp\DEM59F3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM59F3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\DEMAFDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAFDF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\DEM5AC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5AC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEMAD40.exe

Filesize
14KB

MD5
951f39cada2e0368a70c130c8df27f99

SHA1
3382436024b77b73b78e9ff260c55f37867591f1

SHA256
1fc7abc8dfec98d16b6f5508fb521d66726e1394bd35366037f21f1b382c884e

SHA512
2c6b15b421deb45f3904bb8555cd09de42d64a61af4eacfd8ee824f29019539cbb96085edf497db86be7a52ed825aef4cb3e5e1c8098abd7db5829ab723ec434

Download Submit
\Users\Admin\AppData\Local\Temp\DEM399.exe

Filesize
14KB

MD5
4a1c2af104a4d119c2a976e4f1ffb70a

SHA1
f7fede19939e8909f6d1b6bfd4e82b5f7c442971

SHA256
193665a9d3fd3f278d4953effc74ff4c47a56a2a7e5f81acfcfd6fbf19cf2b67

SHA512
3a401f1409ff5d80a9478c2c9dd9beab737bc57389e8c8bf6014545cb9d04071c8a5122b504d1ddc17ac53356222a26dbff6ccb2ecb5651c1065986bbd2df8b0

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5679.exe

Filesize
14KB

MD5
312c2c2ad3583237402a07375900bfcb

SHA1
31f8abc07b5e0f496640e6a633bc768210d3dcd7

SHA256
cfb288f79e49ec624c556141b1b0af468f503b2f71fde1856cfe60a9ce3c31e3

SHA512
390bd8ae1175883c9a79b0d130c3bbbf2e1a743106a99f13637e9169239596d17cc870dcf13ba0ac39eb73983302cb5d885286c335080542cb0f083e1b07e060

Download Submit
\Users\Admin\AppData\Local\Temp\DEM59F3.exe

Filesize
14KB

MD5
2350756574f57ab3d2cb770ce18d2b9e

SHA1
5bf7ac694467e199bcfa97c08b1c9099789d133f

SHA256
d1e1346434e6342d198928237a9b16b08aed3930acdc42eea50cae7bc671702e

SHA512
dd6f4eef95929628e7d2e850c47346711c558077b4429f3f2821dd754ce6e870df529c528603d57f7b487fb2e3c59e4c50bb485c1dc6cde06902408b3fc92cfb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5AC.exe

Filesize
14KB

MD5
ab8943251514accf149a9b7c24182bdc

SHA1
9080667403d288419075153c06d72e07b86caaeb

SHA256
3ec7af515e6c520577cb160795f494de2fba896e062098c114f8901dd59e62f3

SHA512
e65df8abffb3d5edaecf533abb22549c2ebec6f7d43e48472798716707c0c1c918f9cbf7d2e7dd1dd01c34c9103e7b37c95892e0b7ab4ad217920a5b55a2ea39

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAFDF.exe

Filesize
14KB

MD5
e6d2bccf8875e66e6138436746fb043a

SHA1
f3de42b09a2f1508ffa09f1db2aebee0245efe00

SHA256
82e33604a6285b791832a7d35cf0b4b81362a1de37dd8158c7ef5c8b641e1589

SHA512
ef849416e0f10bd96e883b0496b00a616d79df3158b271ba2eabe2e990acdf7a78e1ecbc15f4e5e0c9b0917304be0567c4aa77f90514e44b67b8dd784cd7c6ef

Download Submit

Analysis

Sharing