08c441f7e495696ac99eac688646e16e00e2bb672f9e1372f40488ac4a343b60

General

Target

50f79b2b0039b64c6796ae7b721b82ad.exe
Size

16KB
MD5

50f79b2b0039b64c6796ae7b721b82ad
SHA1

e40234d5da5c2bd824cd54ecd61f397e3d193057
SHA256

08c441f7e495696ac99eac688646e16e00e2bb672f9e1372f40488ac4a343b60
SHA512

2d4aafee588c40ae59f18c7424727dc11e0a34a4054dc365051cf8576620909088011b63083a3d261b095b9a995ad0b0cfcf62c0dd9eec77054bdad96191183f
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGS:hDXWipuE+K3/SSHgxmwS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1180	DEM46B1.exe
2576	DEM9C7E.exe
2972	DEMF27A.exe
744	DEM47D9.exe
1084	DEM9D77.exe
1680	DEMF316.exe

Loads dropped DLL 6 IoCs

pid	Process
2988	50f79b2b0039b64c6796ae7b721b82ad.exe
1180	DEM46B1.exe
2576	DEM9C7E.exe
2972	DEMF27A.exe
744	DEM47D9.exe
1084	DEM9D77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1180	2988	50f79b2b0039b64c6796ae7b721b82ad.exe	29
PID 2988 wrote to memory of 1180	2988	50f79b2b0039b64c6796ae7b721b82ad.exe	29
PID 2988 wrote to memory of 1180	2988	50f79b2b0039b64c6796ae7b721b82ad.exe	29
PID 2988 wrote to memory of 1180	2988	50f79b2b0039b64c6796ae7b721b82ad.exe	29
PID 1180 wrote to memory of 2576	1180	DEM46B1.exe	33
PID 1180 wrote to memory of 2576	1180	DEM46B1.exe	33
PID 1180 wrote to memory of 2576	1180	DEM46B1.exe	33
PID 1180 wrote to memory of 2576	1180	DEM46B1.exe	33
PID 2576 wrote to memory of 2972	2576	DEM9C7E.exe	35
PID 2576 wrote to memory of 2972	2576	DEM9C7E.exe	35
PID 2576 wrote to memory of 2972	2576	DEM9C7E.exe	35
PID 2576 wrote to memory of 2972	2576	DEM9C7E.exe	35
PID 2972 wrote to memory of 744	2972	DEMF27A.exe	37
PID 2972 wrote to memory of 744	2972	DEMF27A.exe	37
PID 2972 wrote to memory of 744	2972	DEMF27A.exe	37
PID 2972 wrote to memory of 744	2972	DEMF27A.exe	37
PID 744 wrote to memory of 1084	744	DEM47D9.exe	39
PID 744 wrote to memory of 1084	744	DEM47D9.exe	39
PID 744 wrote to memory of 1084	744	DEM47D9.exe	39
PID 744 wrote to memory of 1084	744	DEM47D9.exe	39
PID 1084 wrote to memory of 1680	1084	DEM9D77.exe	41
PID 1084 wrote to memory of 1680	1084	DEM9D77.exe	41
PID 1084 wrote to memory of 1680	1084	DEM9D77.exe	41
PID 1084 wrote to memory of 1680	1084	DEM9D77.exe	41

C:\Users\Admin\AppData\Local\Temp\50f79b2b0039b64c6796ae7b721b82ad.exe
"C:\Users\Admin\AppData\Local\Temp\50f79b2b0039b64c6796ae7b721b82ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\DEM46B1.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM46B1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\DEMF27A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMF27A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\DEM9D77.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM9D77.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\DEMF316.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF316.exe"
        7⤵
        Executes dropped EXE
        
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM47D9.exe

Filesize
16KB

MD5
0109a6837e44c0321cdc1b6f025e3e33

SHA1
19dca14177dcf704473eafb4d5205549cf4c716c

SHA256
236e30968a19e0cd672055d567617cb3a50628acab855411586178e33cbee422

SHA512
ab1b89e64b00e026b2daac215d1167205f506964c0e2f606c9bca8e065d436089f2c2696c95cc91aa03dbc84f1c289b93bcf0a1fd0fb8e780f257560445e1e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM9C7E.exe

Filesize
16KB

MD5
2011ed1dbd04909bda3b9f6d59a37cf9

SHA1
ed87b715020b54a2d9830a3501d8ef0c6f5945bc

SHA256
a56d2fd66ecfd7a3732a7e5a80aeaa051636f9b8a6a9baa83ee71b9cbdcab518

SHA512
955b374c1dcea3ba44e62fd22db273240f9185a59960ed0273cac7923500064af7998c3b32121d240bda0a7fd50d1a070aefe0f2b6e2649dd9f586ae92fbcd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF316.exe

Filesize
16KB

MD5
969ab921667f3fc81095438afd5086df

SHA1
5fc794b784d3809fa5d28782fdf5c41ac90ad571

SHA256
e105f8f314dd075fd807ac02fcde6a2eabf541e4a7c4ba4b54e55d417d76e27c

SHA512
0e435d831a6bffb3b69c43e2b871950c17dbaa522d0d556179d6b19a9f4288e059012cad431f4ac575e7f382235fe7356b46c42fe507243887a75ba76eeeb531

Download Submit
\Users\Admin\AppData\Local\Temp\DEM46B1.exe

Filesize
16KB

MD5
d711cb1f301bd1c54bc2a1dd502b8d8c

SHA1
762cebbc9d834d97d425259c5b5f1f17917c3844

SHA256
cebbc6a068f2db28f4efec12a49fe8b652898acd04191a94490b7e186ea61f5a

SHA512
e91fd78d0bb593367be7f9120f9ba93282787cc82175f2ef3145ecc512ef785990c6bb51c2d30195b959a194ad83271b2b6048a74fa330b7b51839871ead80ad

Download Submit
\Users\Admin\AppData\Local\Temp\DEM9D77.exe

Filesize
16KB

MD5
c5c7531783c8ffe5526b23795f507dd0

SHA1
d2afd749d6ab8f350279cdd5fe5fd3538408323c

SHA256
256a0a0ff46f7c0d05c0cef6259e8011ab1dadc06897b81e07140fdbf13d0e63

SHA512
d898505f9013b79bb7694c05aeb68756ef5460ec98395a96f617d2ed0b9b17ad61afae59ffde06072a1c846e7a5fb6c10afe51b5201326e0de89a4572c01997a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF27A.exe

Filesize
16KB

MD5
38ec5f6b2519650222e77117462bc362

SHA1
6b8967f3587192c9beb1215fb8cf232b5bb0e0bf

SHA256
99b0be253302c75772cdfb2620f5ccebee8137e335066eb3732c49afe465a4e2

SHA512
f092aa693699692334c9abcde66658f323dd77977598906fb47069c3e262a83aacb1e6b9c450d6f223114b056cdbe6f5c58dcb4bc05dd5fd00ed582d3ba2559b

Download Submit

Analysis

Sharing