dce63bcff47a015739a4602e65ebdb8891891e3ada545bbf24041d2c15c517dc

General

Target

4dc6da0535d09c80fd9fbb9ed19240f2.exe
Size

15KB
MD5

4dc6da0535d09c80fd9fbb9ed19240f2
SHA1

2bfe8da5386eb761c473d8f6274c80f21916dab5
SHA256

dce63bcff47a015739a4602e65ebdb8891891e3ada545bbf24041d2c15c517dc
SHA512

3781957e627efe99e3ffc8ad761f73b91088ebab2d8bf17479edd5c39042cf92cff1d18889b417e79de2870d8fbacf4000f8de9af3399f66bdc330937df50162
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYl0rJGU:hDXWipuE+K3/SSHgxmlOR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2764	DEM1130.exe
2732	DEM6690.exe
2556	DEMBC0F.exe
1584	DEM121A.exe
2216	DEM674B.exe
2404	DEMBCAB.exe

Loads dropped DLL 6 IoCs

pid	Process
3008	4dc6da0535d09c80fd9fbb9ed19240f2.exe
2764	DEM1130.exe
2732	DEM6690.exe
2556	DEMBC0F.exe
1584	DEM121A.exe
2216	DEM674B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2764	3008	4dc6da0535d09c80fd9fbb9ed19240f2.exe	29
PID 3008 wrote to memory of 2764	3008	4dc6da0535d09c80fd9fbb9ed19240f2.exe	29
PID 3008 wrote to memory of 2764	3008	4dc6da0535d09c80fd9fbb9ed19240f2.exe	29
PID 3008 wrote to memory of 2764	3008	4dc6da0535d09c80fd9fbb9ed19240f2.exe	29
PID 2764 wrote to memory of 2732	2764	DEM1130.exe	32
PID 2764 wrote to memory of 2732	2764	DEM1130.exe	32
PID 2764 wrote to memory of 2732	2764	DEM1130.exe	32
PID 2764 wrote to memory of 2732	2764	DEM1130.exe	32
PID 2732 wrote to memory of 2556	2732	DEM6690.exe	35
PID 2732 wrote to memory of 2556	2732	DEM6690.exe	35
PID 2732 wrote to memory of 2556	2732	DEM6690.exe	35
PID 2732 wrote to memory of 2556	2732	DEM6690.exe	35
PID 2556 wrote to memory of 1584	2556	DEMBC0F.exe	37
PID 2556 wrote to memory of 1584	2556	DEMBC0F.exe	37
PID 2556 wrote to memory of 1584	2556	DEMBC0F.exe	37
PID 2556 wrote to memory of 1584	2556	DEMBC0F.exe	37
PID 1584 wrote to memory of 2216	1584	DEM121A.exe	39
PID 1584 wrote to memory of 2216	1584	DEM121A.exe	39
PID 1584 wrote to memory of 2216	1584	DEM121A.exe	39
PID 1584 wrote to memory of 2216	1584	DEM121A.exe	39
PID 2216 wrote to memory of 2404	2216	DEM674B.exe	41
PID 2216 wrote to memory of 2404	2216	DEM674B.exe	41
PID 2216 wrote to memory of 2404	2216	DEM674B.exe	41
PID 2216 wrote to memory of 2404	2216	DEM674B.exe	41

C:\Users\Admin\AppData\Local\Temp\4dc6da0535d09c80fd9fbb9ed19240f2.exe
"C:\Users\Admin\AppData\Local\Temp\4dc6da0535d09c80fd9fbb9ed19240f2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\DEM1130.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM1130.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\DEM6690.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM6690.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DEMBC0F.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMBC0F.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\DEM121A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM121A.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\DEM674B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM674B.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\DEMBCAB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMBCAB.exe"
        7⤵
        Executes dropped EXE
        
        PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM6690.exe

Filesize
15KB

MD5
27d354c6321004534bd6991110d2e92f

SHA1
bf2a344c8a6f5153f8e9ac3be0514faee1b009ff

SHA256
e564a7c9f3e16f5316ac1c51da4bad88f39a6d8a38eb6a4da18b1b8928c04f88

SHA512
c303e5b4c3b3e8a5f2e67b9712dbc58a81cc2a663557d46037c21ef53e1c102366520aefcc0ab2c1cc14546e30685cab130633741614aae3f96cdc2d3a7022bc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM1130.exe

Filesize
15KB

MD5
d582c3bccbec260dc6ff18a8701b739b

SHA1
d5773d71d0e6293a7a78dcb6a5b1b8f028bd47e7

SHA256
227477f0db63cd7b1b4e1692ef042a95ce4e8ab8a4cea2e7a3b353544b039c20

SHA512
92bf9b17d6babb1582fce5d84a6a36ac6f447c8fe1f0f5b9b9211b7ebe114822ae2b3206c4bfa8eda81be7aad82820b360e72cc219ae4e8ec27d3b32a8ccfa8d

Download Submit
\Users\Admin\AppData\Local\Temp\DEM121A.exe

Filesize
15KB

MD5
a6a67002cf6a9c4b34c4a7c9c6b451bf

SHA1
8145f92407f2f02a0d705df0c1c14f2b8ec99410

SHA256
f34f813ac593f47f7b3589f0bceedc3e2c50d715df336bfaaa12535562d854ab

SHA512
09d605240f9befff2f3d295b9213e111563506a1fdd76a0296487884a5f81ac52e97441e8e46d8a314b9d33fb37635ef4512e1a2f1d82473d2d5941d6eb5dffc

Download Submit
\Users\Admin\AppData\Local\Temp\DEM674B.exe

Filesize
15KB

MD5
198f634dc6fa08067a5d5163ffea3d3a

SHA1
529aca3d9ef946cd90b3a925d8131b662280a3b3

SHA256
bf4286b12acd17ef4b6a5f1525c19f23951f1220b27ab2e095890997320f052d

SHA512
fc21091dabe10e49929d7e0f210434cde213cc7a98786a8c1f1f4d2e7228991fa444ed6fcaf68afdc683331e6697a06de781295165fd8226e7df6ac5cc4e164a

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBC0F.exe

Filesize
15KB

MD5
0320297e9fcf53b37151b4dfa97dd32b

SHA1
03524ec2ebb284489f822704b2c41029068d7952

SHA256
df0a1d5b8b3547331f43dc2955f89622fb25242d58f1856c414741aad66d139a

SHA512
6bdb70f09eeb4dd052378e1cd691a72dd04aced1776422cabbb34cb0e5d4195b3c8c92d094d69e226e1ceb899b2628ef68db20c4409fed344b148504ced549b0

Download Submit
\Users\Admin\AppData\Local\Temp\DEMBCAB.exe

Filesize
15KB

MD5
47ad1afdd4582e8972aefe92ca85bf82

SHA1
d16509d343af847ee9ef3e9fd61493fdec38b186

SHA256
a58d5cd408b486751ba5c4c3f40e841ec5d9af084f332af6cb629cdf3d2b3863

SHA512
155f16989dddf15d8050bd5efb4b9e6a32d1513280b53d4e2b1f8e598fdc47c364a230a4dba70c64aa18abfc89bdccb526e41ea9a3d541b722ec4534da2a0b5e

Download Submit

Analysis

Sharing