6c7de1d61cedb2905c24780494b595a54161ea14c6672a304c861a48dc38d420

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

497426238ae9f8fcd9b29441fd14bdbf.exe
Size

15KB
MD5

497426238ae9f8fcd9b29441fd14bdbf
SHA1

9c090246921b167969ed9fb43baaa69edc5de64a
SHA256

6c7de1d61cedb2905c24780494b595a54161ea14c6672a304c861a48dc38d420
SHA512

cf54aeebfed241477ff092ab00a9e41c0a0b9d594c6582753edf2cdf4d685e1fd237fbf2bd9036670eb24fb108019cf528e70e8974eba84087056901b76c500d
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/TyQkV:hDXWipuE+K3/SSHgxm/T+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2520	DEM6F95.exe
2724	DEMC65B.exe
3044	DEM934.exe
2288	DEM5EE2.exe
1352	DEMB490.exe
1760	DEMAAB.exe
2788	DEM57A2.exe

Loads dropped DLL 7 IoCs

pid	Process
3016	497426238ae9f8fcd9b29441fd14bdbf.exe
2520	DEM6F95.exe
2724	DEMC65B.exe
3044	DEM934.exe
2288	DEM5EE2.exe
1352	DEMB490.exe
1760	DEMAAB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2520	3016	497426238ae9f8fcd9b29441fd14bdbf.exe	30
PID 3016 wrote to memory of 2520	3016	497426238ae9f8fcd9b29441fd14bdbf.exe	30
PID 3016 wrote to memory of 2520	3016	497426238ae9f8fcd9b29441fd14bdbf.exe	30
PID 3016 wrote to memory of 2520	3016	497426238ae9f8fcd9b29441fd14bdbf.exe	30
PID 2520 wrote to memory of 2724	2520	DEM6F95.exe	34
PID 2520 wrote to memory of 2724	2520	DEM6F95.exe	34
PID 2520 wrote to memory of 2724	2520	DEM6F95.exe	34
PID 2520 wrote to memory of 2724	2520	DEM6F95.exe	34
PID 2724 wrote to memory of 3044	2724	DEMC65B.exe	36
PID 2724 wrote to memory of 3044	2724	DEMC65B.exe	36
PID 2724 wrote to memory of 3044	2724	DEMC65B.exe	36
PID 2724 wrote to memory of 3044	2724	DEMC65B.exe	36
PID 3044 wrote to memory of 2288	3044	DEM934.exe	37
PID 3044 wrote to memory of 2288	3044	DEM934.exe	37
PID 3044 wrote to memory of 2288	3044	DEM934.exe	37
PID 3044 wrote to memory of 2288	3044	DEM934.exe	37
PID 2288 wrote to memory of 1352	2288	DEM5EE2.exe	39
PID 2288 wrote to memory of 1352	2288	DEM5EE2.exe	39
PID 2288 wrote to memory of 1352	2288	DEM5EE2.exe	39
PID 2288 wrote to memory of 1352	2288	DEM5EE2.exe	39
PID 1352 wrote to memory of 1760	1352	DEMB490.exe	41
PID 1352 wrote to memory of 1760	1352	DEMB490.exe	41
PID 1352 wrote to memory of 1760	1352	DEMB490.exe	41
PID 1352 wrote to memory of 1760	1352	DEMB490.exe	41
PID 1760 wrote to memory of 2788	1760	DEMAAB.exe	43
PID 1760 wrote to memory of 2788	1760	DEMAAB.exe	43
PID 1760 wrote to memory of 2788	1760	DEMAAB.exe	43
PID 1760 wrote to memory of 2788	1760	DEMAAB.exe	43

C:\Users\Admin\AppData\Local\Temp\497426238ae9f8fcd9b29441fd14bdbf.exe
"C:\Users\Admin\AppData\Local\Temp\497426238ae9f8fcd9b29441fd14bdbf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\DEM6F95.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM6F95.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\DEMC65B.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMC65B.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\DEM934.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM934.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\DEM5EE2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5EE2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Users\Admin\AppData\Local\Temp\DEMB490.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB490.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\DEMAAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMAAB.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM57A2.exe"
        8⤵
        Executes dropped EXE
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6F95.exe

Filesize
15KB

MD5
0c3008a7fcbecc518c4bbe533be42678

SHA1
b5ee95b0cb56cccfbeb8e0b38a5334375421ad02

SHA256
c23b2116843718c5e7eaf55a6b3dbfc04f2725e1e055e0757473972c708c787c

SHA512
a92f5682fa43d26a22b1996bfd8c83874b360c765ce223fa25addf0cac547104775015b2e0585f0877e31c664a042cc22d10e47c876e1ed62db2dabf693ceb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM934.exe

Filesize
15KB

MD5
5bf0cae71a441ba9558b1ed4661c834a

SHA1
75bc798d36c284be85f88e8331615970dae3bafa

SHA256
075058767afb1d06673f81d79aa84bf2fee79619311676bc25e43b5670bbb760

SHA512
dbb111fcfdfe4167b66a1d53ba51f0e304d5524f1e8ba302702a82084940641bd655cd97bb812f31b9688aef83f5b43e9f9e40310778e46dfd6e19befca5594c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMC65B.exe

Filesize
15KB

MD5
711bf28ee22852281b40160de3ddd871

SHA1
4164d9d970312ca4a01111ee63bb0c5f55a950bd

SHA256
da3eb8fed5dfd9bb7807fbaf7ffc884bc70ba5f76f9edc6de6e0d885ace85b94

SHA512
dc3fd6841dd086b32aedb8231696d8210ed606b9b2dd72fd6514ebdf283b0c260ad3402c146044bcee45f6aab5a97103e98d9322b3d61e2ca0eede25133a8faa

Download Submit
\Users\Admin\AppData\Local\Temp\DEM57A2.exe

Filesize
15KB

MD5
ec2a3a6d2a6059b2b6b2a32ef10fcc2d

SHA1
b3773b3503641ab183d902bc81d3e695c9fab8e3

SHA256
8fe38df6f3c32840feaf0afa7845eec45ce76de057c2cd26dff53d0f95905aa7

SHA512
ecb9b1a8500423e32025a5771a74a7bd80da763293d69afd2f515513627e021c1e6ecacbc70b2961476c529be2f28db0b254a631a9732d1be1ae663c2b540197

Download Submit
\Users\Admin\AppData\Local\Temp\DEM5EE2.exe

Filesize
15KB

MD5
3220c7f5d0d3fc719d921a75b42788a8

SHA1
e9c332247c80d6b11c6114275d8670c838772720

SHA256
96d6ccfaea6a6c6191cb38d1f4cd9de22d88f9b51a4ebb77b20f6f86518f47a8

SHA512
05da8cb2aa1244e11c22d47a7520047faeaa9ab56ece4744e9ecb0989139e85400e04ec62ca1367949038df7ca52b8293fc5cf7470d7f42a5ec47bd0c1b78fa3

Download Submit
\Users\Admin\AppData\Local\Temp\DEMAAB.exe

Filesize
15KB

MD5
5a989188621bb851a4208f9ba38320a5

SHA1
9f28c72a96be05fb955c5c9b0012d1defc424d27

SHA256
6ee0f9af71bcc86a7bb7e965783ab1e5fedcb5027ab44e156df97c10d497d5e5

SHA512
7d33128ed8a4a6159541c0c7096fcecd439f4988399f13c6face76ef0f0042bd5c18bc55ce601c242368cd458bf33054d9d9b1cf8341c8ebf4b6d25aa01bf94d

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB490.exe

Filesize
15KB

MD5
f3dfacfe96eccac2599084b54c72b75e

SHA1
5d2c309e9f96de0c8d394c4866ec9b8879e8b9c3

SHA256
03ecdbfc7586c9005ccdf8e12a9d0273622f3b2b72ad2cc40f63a13a22b731e2

SHA512
ef5a4cb01bd41a95030a78cf9e0fda88be849ecbdc92859142cbc5eef2126d85c870a1ccba5782a7e80ef565abd4c372af18f989f11279febfc3b095d9548f3c

Download Submit