ee6fdd67e2d7af8519023a027073a7d2eca3377d3375789cc19a90432198e76c

General

Target

47d17cb085ef3a1ae420ac9e73d29398.exe
Size

15KB
MD5

47d17cb085ef3a1ae420ac9e73d29398
SHA1

386c8436b4b11d33fd7a3a9acc26be2be3e14cd0
SHA256

ee6fdd67e2d7af8519023a027073a7d2eca3377d3375789cc19a90432198e76c
SHA512

5a1f26e6c9fcc12830bb41c307a422e33af6278067aa61ce4f1e634beb918feb7bd4e1deaf30005249f4c4b5c9d5ad4713bc33cc0a46912d1e6c627a41a14dde
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvo+5:hDXWipuE+K3/SSHgxmA+5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2744	DEM13B0.exe
2800	DEM696D.exe
2940	DEMBEEC.exe
1996	DEM147A.exe
1800	DEM69CB.exe
2600	DEMBEDC.exe

Loads dropped DLL 6 IoCs

pid	Process
2248	47d17cb085ef3a1ae420ac9e73d29398.exe
2744	DEM13B0.exe
2800	DEM696D.exe
2940	DEMBEEC.exe
1996	DEM147A.exe
1800	DEM69CB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2744	2248	47d17cb085ef3a1ae420ac9e73d29398.exe	30
PID 2248 wrote to memory of 2744	2248	47d17cb085ef3a1ae420ac9e73d29398.exe	30
PID 2248 wrote to memory of 2744	2248	47d17cb085ef3a1ae420ac9e73d29398.exe	30
PID 2248 wrote to memory of 2744	2248	47d17cb085ef3a1ae420ac9e73d29398.exe	30
PID 2744 wrote to memory of 2800	2744	DEM13B0.exe	32
PID 2744 wrote to memory of 2800	2744	DEM13B0.exe	32
PID 2744 wrote to memory of 2800	2744	DEM13B0.exe	32
PID 2744 wrote to memory of 2800	2744	DEM13B0.exe	32
PID 2800 wrote to memory of 2940	2800	DEM696D.exe	36
PID 2800 wrote to memory of 2940	2800	DEM696D.exe	36
PID 2800 wrote to memory of 2940	2800	DEM696D.exe	36
PID 2800 wrote to memory of 2940	2800	DEM696D.exe	36
PID 2940 wrote to memory of 1996	2940	DEMBEEC.exe	37
PID 2940 wrote to memory of 1996	2940	DEMBEEC.exe	37
PID 2940 wrote to memory of 1996	2940	DEMBEEC.exe	37
PID 2940 wrote to memory of 1996	2940	DEMBEEC.exe	37
PID 1996 wrote to memory of 1800	1996	DEM147A.exe	39
PID 1996 wrote to memory of 1800	1996	DEM147A.exe	39
PID 1996 wrote to memory of 1800	1996	DEM147A.exe	39
PID 1996 wrote to memory of 1800	1996	DEM147A.exe	39
PID 1800 wrote to memory of 2600	1800	DEM69CB.exe	41
PID 1800 wrote to memory of 2600	1800	DEM69CB.exe	41
PID 1800 wrote to memory of 2600	1800	DEM69CB.exe	41
PID 1800 wrote to memory of 2600	1800	DEM69CB.exe	41

C:\Users\Admin\AppData\Local\Temp\47d17cb085ef3a1ae420ac9e73d29398.exe
"C:\Users\Admin\AppData\Local\Temp\47d17cb085ef3a1ae420ac9e73d29398.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\DEM696D.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM696D.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\DEMBEEC.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBEEC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\DEM147A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM147A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\DEM69CB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM69CB.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\DEMBEDC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBEDC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM13B0.exe

Filesize
15KB

MD5
4c2cb0fa5bf0201847df0889d310a4e8

SHA1
a4e33d91ff1d149caa6375e0a0054ef0fa681b25

SHA256
679f8110d8ffdb7e9149b5204cdab5a3d75b7f2dc3ea6671104b585750c24c0d

SHA512
bd42fa67b53ac9b066316c81e03092b3859a69566cb2c9e570c610aa7ea4bd6f8c49591f55fe4270d9085bd93d0b8ef0765c7415ddabcfc777d77ff979ad1361

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM696D.exe

Filesize
15KB

MD5
63bc2e48ae638521ff818694b1d03c8b

SHA1
56b6974ee7294d217abf51130957216b20df37f7

SHA256
8c0476cec76053705d25f4ded002879436f52bde08f04bb2437c596ffea16d4b

SHA512
91e55438ebaffec308110ac1694770019b4bf3dcbcf620a4341fedef2944b8db0f4131e8b8dba35fd1a96b6ed2ca10b12551690b017a96a6f9d52ca4273c383c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMBEEC.exe

Filesize
15KB

MD5
638c48f5511d796fe9d590b42c8fb37e

SHA1
4e46e12da6db7bb6856c9f7fe697c8f2bbaa079a

SHA256
87bec440ae94d438587ca2bbc7fb92afb1a13c600fc4a3fdfffff307b0e429bd

SHA512
639b238717127b8cd14bd99eaa075b426e8171c9c4c63f638e00230b688902e1b7b5ea97d7fbbe34706c3f4aee55e6966c44cd9a2ff32e13a0ee384326df9da8

Download Submit
\Users\Admin\AppData\Local\Temp\DEM147A.exe

Filesize
15KB

MD5
e44c2e426f78577d60b3211493d65c07

SHA1
959ba0eb10c851c0faa5a4a34aa8963bc1910e9a

SHA256
fa010066736a8039deb115722aebe19d99547c659ab0b19595ec58eb94a8187f

SHA512
74af46b5e73e340aedb68e1d498d47ac3ee5380871ca2de545c5191c162890c3e9131113081413f89f6a4d3e16e233b53f97545d70c438412af1484941dc0174

Download Submit
\Users\Admin\AppData\Local\Temp\DEM69CB.exe

Filesize
15KB

MD5
993d36437e8e193b5e3a36fe3455b0d0

SHA1
ccdb8e8760359afa7c16a61e10d21dc5a6461d9a

SHA256
fbf9bd4d96bf96fd4f0c50eb82730a568aaf85850928e13ee1d8c9c4c7255cda

SHA512
a195e79a895756ddfa8a446c68f23301b892e505752bcb943227a0e83279da903b25a4940d074443aae9fcd50d4c0210198d9d51a5fac0d5391e1a7168254ed1

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBEDC.exe

Filesize
15KB

MD5
4cf83def90f13958a012f9f68e8c4864

SHA1
b23d3e6ec28e5e39623ca8c7991f03e96e924ce8

SHA256
76741a543dcad942c29ef74818a45b30f372c43c94e356773ebc2fcecd8d0dc8

SHA512
e512567a816f514ee068c592f4ab7cc740ed145a451b5b686a2c0d4691e3e20b8ae8a75ad74560256fbe1d6d47ff349fb3ff3ba0dd5641d4b0a4f8f176f32de8

Download Submit

Analysis

Sharing