28a32b9e994e0ea09ebe47a379140698c26b6f964666f19d58b7c29bba729dad

General

Target

482a3e16acab80e0ea73319109535936.exe
Size

14KB
MD5

482a3e16acab80e0ea73319109535936
SHA1

c12de61d5b894c5c38fb551f603e67e9a15e784b
SHA256

28a32b9e994e0ea09ebe47a379140698c26b6f964666f19d58b7c29bba729dad
SHA512

d651b4a63b5d0bea13de0d195e85cd510dd80178842d44b6ade95d72c9d779b20b44889cec5526ed3f62a8cf8982d7ecef219f18a93f8557178e6147741d45e8
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnu:hDXWipuE+K3/SSHgx/u

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2148	DEMAAB.exe
2636	DEM6097.exe
2932	DEMB606.exe
928	DEMBB4.exe
320	DEM6143.exe
2184	DEMB693.exe

Loads dropped DLL 6 IoCs

pid	Process
2876	482a3e16acab80e0ea73319109535936.exe
2148	DEMAAB.exe
2636	DEM6097.exe
2932	DEMB606.exe
928	DEMBB4.exe
320	DEM6143.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2148	2876	482a3e16acab80e0ea73319109535936.exe	29
PID 2876 wrote to memory of 2148	2876	482a3e16acab80e0ea73319109535936.exe	29
PID 2876 wrote to memory of 2148	2876	482a3e16acab80e0ea73319109535936.exe	29
PID 2876 wrote to memory of 2148	2876	482a3e16acab80e0ea73319109535936.exe	29
PID 2148 wrote to memory of 2636	2148	DEMAAB.exe	31
PID 2148 wrote to memory of 2636	2148	DEMAAB.exe	31
PID 2148 wrote to memory of 2636	2148	DEMAAB.exe	31
PID 2148 wrote to memory of 2636	2148	DEMAAB.exe	31
PID 2636 wrote to memory of 2932	2636	DEM6097.exe	35
PID 2636 wrote to memory of 2932	2636	DEM6097.exe	35
PID 2636 wrote to memory of 2932	2636	DEM6097.exe	35
PID 2636 wrote to memory of 2932	2636	DEM6097.exe	35
PID 2932 wrote to memory of 928	2932	DEMB606.exe	38
PID 2932 wrote to memory of 928	2932	DEMB606.exe	38
PID 2932 wrote to memory of 928	2932	DEMB606.exe	38
PID 2932 wrote to memory of 928	2932	DEMB606.exe	38
PID 928 wrote to memory of 320	928	DEMBB4.exe	39
PID 928 wrote to memory of 320	928	DEMBB4.exe	39
PID 928 wrote to memory of 320	928	DEMBB4.exe	39
PID 928 wrote to memory of 320	928	DEMBB4.exe	39
PID 320 wrote to memory of 2184	320	DEM6143.exe	41
PID 320 wrote to memory of 2184	320	DEM6143.exe	41
PID 320 wrote to memory of 2184	320	DEM6143.exe	41
PID 320 wrote to memory of 2184	320	DEM6143.exe	41

C:\Users\Admin\AppData\Local\Temp\482a3e16acab80e0ea73319109535936.exe
"C:\Users\Admin\AppData\Local\Temp\482a3e16acab80e0ea73319109535936.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\DEMAAB.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMAAB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\DEM6097.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6097.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\DEMB606.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB606.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\DEMBB4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBB4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\DEM6143.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM6143.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\DEMB693.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB693.exe"
        7⤵
        Executes dropped EXE
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6097.exe

Filesize
14KB

MD5
96724ce8bce4a18775775779f81d630e

SHA1
edc1f870889b9859a81c9d6e03386f840f6c5516

SHA256
e22ac8d9fb19563d49e90c65cbc04e14f3e8f587f50e09b0f4e9489becf0424c

SHA512
0c8a52406ff711b29e9bbfdeea95e55c5666486b4fa3f7e832ba4aecbdb5bc616c2805355f3d5a12987c36cc556ae50426a185e503265187abc9dacfb7b6e23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBB4.exe

Filesize
14KB

MD5
150795b86e9f0e2043b8ca86c2511efb

SHA1
d080668bd929c2e75cf7a74cdcbed94251015659

SHA256
63e5f72492fa3616d5113aeb1038e0891fa58a7533033067dcca8c0021501939

SHA512
37e3c6f091d114c702c9bd40f9fd8e1cc50ca0f110c9ab7462988a1c5ce214d9a025d2ebfb375570fd8033ec6f4aedbd0ac48bd7a44ccc3aea29a29a6283b691

Download Submit
\Users\Admin\AppData\Local\Temp\DEM6143.exe

Filesize
14KB

MD5
0064d1ae5af26db2e6d274b405727e34

SHA1
3adad6faa210b07f4ca1120ea54542d1ec9ba621

SHA256
d9377af5ab48c477ca358e92e76f791efe584c3b4bba37d87f3357b2fa52206d

SHA512
ec2e5cb9ad2af5ce8948c79557428433da96c5041e427f3ac15bb48819d8ad5ef413dfa7013cd9cd5c76ed119233eae17b5fa02b836f615feb96754611adc9f3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAAB.exe

Filesize
14KB

MD5
4a22ec166af1642d89aebecd24259f14

SHA1
f191eefcda59854aa598c26f7b38871b9fbfeeb9

SHA256
da9a2f7bd33e439d0edf33ca2aed7a5a8acf5e768ccd2091ad7a9be961f99f3e

SHA512
fb26e3f982152288c171071b7646c63fb3b9710e60f87786782e69fd6cf86bb64b09715d0e111ec2e8999d7059b7d3e7b71ae98101927e514bbf6f34e40974a6

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB606.exe

Filesize
14KB

MD5
9dd60920527950c55633963862e90f91

SHA1
c82103e8f1412a7125df07c7a1b8ecad237f1620

SHA256
379722a342efa7923f627c6753dd4bce90b5cf50d38594e6b87be8bfddac8261

SHA512
f9251235ec3a43f9f3d59ee9989a243f9cc5c7db57cbdcf25c3a49cd9201ab55e95ab135b939c78e4136106bbba4ac243c8421ffdd8c7eda8d237828ecb43375

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB693.exe

Filesize
14KB

MD5
a6a99aeae80a8346024a6ac297c5fc05

SHA1
9ff9d12f42ef85ce10d96df108b3ed00ea6b1403

SHA256
60104cdf41f2f6a0ac3ce7bbefb56b201e48733f031e0c30e379b2e4428ec31f

SHA512
24b1df4b32aea79ec9befa447e7469b7f42836712b38959bda2c795bbf212e10e844b487bd35a3277da361e0cc1e09462c66e37453b19f91d04f7d46b4a0cf98

Download Submit

Analysis

Sharing