cb0dfa0e9ca9d98d34fb30cda419be88cfbdb82769660236e0ce902486ea0d1b

General

Target

5117aa26ffccf139d76862b4da0dab38.exe
Size

14KB
MD5

5117aa26ffccf139d76862b4da0dab38
SHA1

41cd734bd1da10f4b7fa5fe0e59d7908cf34ef08
SHA256

cb0dfa0e9ca9d98d34fb30cda419be88cfbdb82769660236e0ce902486ea0d1b
SHA512

90fc183176dd5ec527737bf970bbdef522018ec08cce4d7cc5b1cb3b791aa3154002994e69beab9af98a7e674706deea38ed8f14e14fc7b73b407a0dfd2fccbe
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8XsE:hDXWipuE+K3/SSHgxtKH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2368	DEM1130.exe
2880	DEM674B.exe
1700	DEMBC8B.exe
2692	DEM11AD.exe
1988	DEM670D.exe
1876	DEMBC5D.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	5117aa26ffccf139d76862b4da0dab38.exe
2368	DEM1130.exe
2880	DEM674B.exe
1700	DEMBC8B.exe
2692	DEM11AD.exe
1988	DEM670D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2368	2232	5117aa26ffccf139d76862b4da0dab38.exe	30
PID 2232 wrote to memory of 2368	2232	5117aa26ffccf139d76862b4da0dab38.exe	30
PID 2232 wrote to memory of 2368	2232	5117aa26ffccf139d76862b4da0dab38.exe	30
PID 2232 wrote to memory of 2368	2232	5117aa26ffccf139d76862b4da0dab38.exe	30
PID 2368 wrote to memory of 2880	2368	DEM1130.exe	31
PID 2368 wrote to memory of 2880	2368	DEM1130.exe	31
PID 2368 wrote to memory of 2880	2368	DEM1130.exe	31
PID 2368 wrote to memory of 2880	2368	DEM1130.exe	31
PID 2880 wrote to memory of 1700	2880	DEM674B.exe	36
PID 2880 wrote to memory of 1700	2880	DEM674B.exe	36
PID 2880 wrote to memory of 1700	2880	DEM674B.exe	36
PID 2880 wrote to memory of 1700	2880	DEM674B.exe	36
PID 1700 wrote to memory of 2692	1700	DEMBC8B.exe	37
PID 1700 wrote to memory of 2692	1700	DEMBC8B.exe	37
PID 1700 wrote to memory of 2692	1700	DEMBC8B.exe	37
PID 1700 wrote to memory of 2692	1700	DEMBC8B.exe	37
PID 2692 wrote to memory of 1988	2692	DEM11AD.exe	39
PID 2692 wrote to memory of 1988	2692	DEM11AD.exe	39
PID 2692 wrote to memory of 1988	2692	DEM11AD.exe	39
PID 2692 wrote to memory of 1988	2692	DEM11AD.exe	39
PID 1988 wrote to memory of 1876	1988	DEM670D.exe	41
PID 1988 wrote to memory of 1876	1988	DEM670D.exe	41
PID 1988 wrote to memory of 1876	1988	DEM670D.exe	41
PID 1988 wrote to memory of 1876	1988	DEM670D.exe	41

C:\Users\Admin\AppData\Local\Temp\5117aa26ffccf139d76862b4da0dab38.exe
"C:\Users\Admin\AppData\Local\Temp\5117aa26ffccf139d76862b4da0dab38.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\DEM1130.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1130.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\DEM674B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM674B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\DEM11AD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM11AD.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\DEM670D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM670D.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\DEMBC5D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBC5D.exe"
        7⤵
        Executes dropped EXE
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM1130.exe

Filesize
15KB

MD5
60d7fde6c71da5ebf0e310189ad6f469

SHA1
80a071cfc197ca6897475f3030d9f772416404a4

SHA256
46c89ab5bcb5e67827e7f1a4218624003e87c48b6c0a58b3e842d878b8daeb44

SHA512
a1391591e96f91aee00ce4e2cd8185382ebcd708a3115f7b76216f039c7b9284558846547d594ce67ebbbb3c5df38f6a15c02b0f158a68542a42dfdf4d8866fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM674B.exe

Filesize
15KB

MD5
5b42d826b0a8243a0666984e5612c9d7

SHA1
4bc8fbe99c379a4b26d29135e8a10ecc8ffc4568

SHA256
4b2f157150b3d8f0c70edfd46b58db30f26c5c16f641f8a9a937aad8629774c0

SHA512
31c5ec7795e7623b4e1efed6f621e1dcff00840e2f8f96a9e75270e04f939c9d0d1ad9fc23829aad1d6ba1f7be045b3d42d7c60deb9b8c5f98197cdb8ecf37bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe

Filesize
15KB

MD5
f633189a58f8c9f6cc419474d10fc143

SHA1
e2c0fa10df1f870bc04b2edcd829418d6632e3f2

SHA256
4dfc3340b4d6271d54ffd2ae46153039a647258c1ee7d85d0c8ff301d399e5b9

SHA512
995a9e1774b0ce87054a3488e052c3bd18e2cd4417a8002c77f05ebd35742dbf2004940af4464adefea71bfed85c9a552aa1aa5affcb21d417fba3b81b3397fb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM11AD.exe

Filesize
15KB

MD5
79df548ee881f1284bde6a201e9e688d

SHA1
9096a74b34f21a7147592d5041eed042a29e33fc

SHA256
df56377d3ff23375b4e3e074a81836f543080922c99aa6385b15f14f0bb61601

SHA512
f6fec5c3f29ad0a919c9da8a6e2cfeee8e07e5aea4269d1f13512bee73929f4d9abf4816f0eb3791ea8e85595fece1d660d2f969917eb1e4e14d24824488ef02

Download Submit
\Users\Admin\AppData\Local\Temp\DEM670D.exe

Filesize
15KB

MD5
4746e2eb13cc283e21fc4c2a31fba9a9

SHA1
41ba2c8fa7afd980137976c763c2081efef184cb

SHA256
438669da4555dfb4bfbf45a0cfa8a61de300e41145dc4eef406167dd0942052d

SHA512
9e52553d4790b8ebf6ae9c7dde8561742c1739e076392583680b868d673575b2474fdff43abfaafce7456d3cdf2c4bff12bb34a6bf11e9c5315ecc343e245767

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC5D.exe

Filesize
15KB

MD5
4cfd34e95f7f7ad71d5dc90f64de583b

SHA1
b8df349415641afaa7ce3333b0a9e23215422bfc

SHA256
e45bb22f4e308294c8fa84b0feed6d8e7a73055bfe55eb0653ce0844670dee19

SHA512
69088e9b9c3aa0731df71a7ec026cc40c3fb465f001ed0db572e4c3e19e7bcbcfe34271c0fbf5796d2160ec5e9fa9f24ca10a2f93c48d000c606ef6842f82b94

Download Submit

Analysis

Sharing