b347ba487816c1d1bdb368f4b4d5f006b47e93ac5a4b628b80a2da21ff354ede

General

Target

510af52f650dccd65692b47e29c3e982.exe
Size

14KB
MD5

510af52f650dccd65692b47e29c3e982
SHA1

4ec2cf85d2992b9a497d14dcfb7b050a4cf42ad7
SHA256

b347ba487816c1d1bdb368f4b4d5f006b47e93ac5a4b628b80a2da21ff354ede
SHA512

3dfcc26598d10d496ef432800cd967669db5e0c41cde936275985307f751c52e463eb3f0aecb24483b6f0529b9b18cb390574dbc2616dcdfbd7ad25a91a9e61e
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY5E:hDXWipuE+K3/SSHgxmS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2788	DEM22CC.exe
2660	DEM77DE.exe
2848	DEMCDAB.exe
1752	DEM231A.exe
880	DEM781D.exe
2352	DEMCD5D.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	510af52f650dccd65692b47e29c3e982.exe
2788	DEM22CC.exe
2660	DEM77DE.exe
2848	DEMCDAB.exe
1752	DEM231A.exe
880	DEM781D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2788	2336	510af52f650dccd65692b47e29c3e982.exe	30
PID 2336 wrote to memory of 2788	2336	510af52f650dccd65692b47e29c3e982.exe	30
PID 2336 wrote to memory of 2788	2336	510af52f650dccd65692b47e29c3e982.exe	30
PID 2336 wrote to memory of 2788	2336	510af52f650dccd65692b47e29c3e982.exe	30
PID 2788 wrote to memory of 2660	2788	DEM22CC.exe	34
PID 2788 wrote to memory of 2660	2788	DEM22CC.exe	34
PID 2788 wrote to memory of 2660	2788	DEM22CC.exe	34
PID 2788 wrote to memory of 2660	2788	DEM22CC.exe	34
PID 2660 wrote to memory of 2848	2660	DEM77DE.exe	35
PID 2660 wrote to memory of 2848	2660	DEM77DE.exe	35
PID 2660 wrote to memory of 2848	2660	DEM77DE.exe	35
PID 2660 wrote to memory of 2848	2660	DEM77DE.exe	35
PID 2848 wrote to memory of 1752	2848	DEMCDAB.exe	38
PID 2848 wrote to memory of 1752	2848	DEMCDAB.exe	38
PID 2848 wrote to memory of 1752	2848	DEMCDAB.exe	38
PID 2848 wrote to memory of 1752	2848	DEMCDAB.exe	38
PID 1752 wrote to memory of 880	1752	DEM231A.exe	39
PID 1752 wrote to memory of 880	1752	DEM231A.exe	39
PID 1752 wrote to memory of 880	1752	DEM231A.exe	39
PID 1752 wrote to memory of 880	1752	DEM231A.exe	39
PID 880 wrote to memory of 2352	880	DEM781D.exe	41
PID 880 wrote to memory of 2352	880	DEM781D.exe	41
PID 880 wrote to memory of 2352	880	DEM781D.exe	41
PID 880 wrote to memory of 2352	880	DEM781D.exe	41

C:\Users\Admin\AppData\Local\Temp\510af52f650dccd65692b47e29c3e982.exe
"C:\Users\Admin\AppData\Local\Temp\510af52f650dccd65692b47e29c3e982.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\DEM77DE.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM77DE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\DEMCDAB.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMCDAB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\DEM231A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM231A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\DEM781D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM781D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\DEMCD5D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMCD5D.exe"
        7⤵
        Executes dropped EXE
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM22CC.exe

Filesize
14KB

MD5
b214f64f94723be15cc0c53c101eaa3f

SHA1
c1dfc6be6e1754dcfc586450ac44f812507bc537

SHA256
704e5e525832bc30f3e1d84830d1478f2a79f1de706f8ee00f81f2071a4ff25d

SHA512
af991f4ed4e2f654ae04c3f275285562c26b426c90aa0552e79d38a1aa818a14f9d7e41c77a7a1df0619eb7674820883e987e597da38bbc39f517a005bd960b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM231A.exe

Filesize
15KB

MD5
c17942624632e2c443a81312852ec1af

SHA1
929ff71b6693c09c4f22508d4434dcf655080b97

SHA256
e7fbe2f72b951e43b035df979c2685152ea576d9fcf9883d200d2293a990551c

SHA512
75ff5195a19a5d345a73a8096a3703b8c360841e9b526977539e67cee6360cfbcb9e0c07814862b966904f9988da31068beaae95690fb4f353640c916e231277

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM77DE.exe

Filesize
14KB

MD5
86b88242648d9f8a3fb4793518d7d76f

SHA1
511e7190e95d52cfa54f0f2bc6e456d5cc26dd68

SHA256
39ea35039207bbf39ca287c599e2ef579267d3589c55540d493ae47a13280010

SHA512
95227d527e7643c76ce0f20fcebea0f9c47137aaa4eadf3ed4730892a38c778107ace583e200602be61e126e23dc31bb420350b2739bce676257d979c1dee796

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM781D.exe

Filesize
15KB

MD5
504d9e4949feb655ef65191786ae8945

SHA1
d6986b1fb6dea765ff164245bdf547db75a029ed

SHA256
2bd51589adc6c7c62fc84057ac8583c1c1cadef3cd4a53dd8751d56e84eadc3f

SHA512
efa3105d8b27b41c541ee1f13203c4d6f54be649baeef5601b4feb1f9f6586580accdc79be5cf739ab2ddb243fd4036de7220bd7f224e59c833ca8f7fbd2d568

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCD5D.exe

Filesize
15KB

MD5
1e30f6155bff71ec152dda41ff64fedf

SHA1
5209f0a89eafb71d979f08b6977dd4c53cb347e7

SHA256
02723c94ebb81cbf40ad05cf03ee4f5246d8ff81282944a61de74574cb4ab436

SHA512
db92620ddf3f0bd34b203598617e4d93eb854de6920f08020dc7cd22cb1ed106370349b1d33056710387843123b084f3f2f389e215408533386fcd44002a5ecc

Download Submit
\Users\Admin\AppData\Local\Temp\DEMCDAB.exe

Filesize
14KB

MD5
909e60c4e0461373cb78c9023761e2d2

SHA1
970dc2494695c6a94aeeaac8ebe57fd67302648f

SHA256
824683e1ff84d71389dca30d137026e474940b68f21b4854be3d630a5f82d766

SHA512
a697f3ef4486ad2101530444ad3c6a973467e83b26dc2725396071cadb4151f89923f822a2d3dda16874c60921658cf4dda120e526c0721656dda3e9f72e0e7c

Download Submit

Analysis

Sharing