d8830a71c09f8d1260a448dd41fc58a8454ada25d359eb97da4e28cffa6b3f29

General

Target

54e80ee4581f8e2dc067ba5c2828ea65.exe
Size

15KB
MD5

54e80ee4581f8e2dc067ba5c2828ea65
SHA1

5a894e53fe197e45cea591d2fea63c432aa138e3
SHA256

d8830a71c09f8d1260a448dd41fc58a8454ada25d359eb97da4e28cffa6b3f29
SHA512

5eca1e6ad53006755605a2f39ef3a43062b659f2cbdc063602708ab94977cb7eebc46b6016d809648d683275bfc6e7c4c5b6f6142eb844ef5285c59f52d9281b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRd:hDXWipuE+K3/SSHgxh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2816	DEM741.exe
2616	DEM5D0E.exe
2932	DEMB26E.exe
320	DEM770.exe
1440	DEM5CDF.exe
2544	DEMB1F1.exe

Loads dropped DLL 6 IoCs

pid	Process
2140	54e80ee4581f8e2dc067ba5c2828ea65.exe
2816	DEM741.exe
2616	DEM5D0E.exe
2932	DEMB26E.exe
320	DEM770.exe
1440	DEM5CDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2816	2140	54e80ee4581f8e2dc067ba5c2828ea65.exe	29
PID 2140 wrote to memory of 2816	2140	54e80ee4581f8e2dc067ba5c2828ea65.exe	29
PID 2140 wrote to memory of 2816	2140	54e80ee4581f8e2dc067ba5c2828ea65.exe	29
PID 2140 wrote to memory of 2816	2140	54e80ee4581f8e2dc067ba5c2828ea65.exe	29
PID 2816 wrote to memory of 2616	2816	DEM741.exe	32
PID 2816 wrote to memory of 2616	2816	DEM741.exe	32
PID 2816 wrote to memory of 2616	2816	DEM741.exe	32
PID 2816 wrote to memory of 2616	2816	DEM741.exe	32
PID 2616 wrote to memory of 2932	2616	DEM5D0E.exe	36
PID 2616 wrote to memory of 2932	2616	DEM5D0E.exe	36
PID 2616 wrote to memory of 2932	2616	DEM5D0E.exe	36
PID 2616 wrote to memory of 2932	2616	DEM5D0E.exe	36
PID 2932 wrote to memory of 320	2932	DEMB26E.exe	37
PID 2932 wrote to memory of 320	2932	DEMB26E.exe	37
PID 2932 wrote to memory of 320	2932	DEMB26E.exe	37
PID 2932 wrote to memory of 320	2932	DEMB26E.exe	37
PID 320 wrote to memory of 1440	320	DEM770.exe	40
PID 320 wrote to memory of 1440	320	DEM770.exe	40
PID 320 wrote to memory of 1440	320	DEM770.exe	40
PID 320 wrote to memory of 1440	320	DEM770.exe	40
PID 1440 wrote to memory of 2544	1440	DEM5CDF.exe	41
PID 1440 wrote to memory of 2544	1440	DEM5CDF.exe	41
PID 1440 wrote to memory of 2544	1440	DEM5CDF.exe	41
PID 1440 wrote to memory of 2544	1440	DEM5CDF.exe	41

C:\Users\Admin\AppData\Local\Temp\54e80ee4581f8e2dc067ba5c2828ea65.exe
"C:\Users\Admin\AppData\Local\Temp\54e80ee4581f8e2dc067ba5c2828ea65.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\DEM741.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM741.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\DEM5D0E.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM5D0E.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\DEMB26E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB26E.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\DEM770.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM770.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe

Filesize
15KB

MD5
f81856fbd3c36b73c7d52d32831f1c6c

SHA1
62173c6f7e3926935ed43a6f727e02c197df8684

SHA256
8af719b65a8be7c47d5731bc9932ffb3dc9a655153416d2e3a7eb314f983cd38

SHA512
584f978d94d503bdeb1070552f878736a3ef7fbffd7be2b58fef57617c323f268bd902fc54de9661d564ba7c0d92db80a1b34058a9f07aed21dd3836047487e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEM5D0E.exe

Filesize
15KB

MD5
b139160092c102867d5e5ffa06136bfe

SHA1
84f240d26051f265fb513b0202c4257d392ab87b

SHA256
71871ce3cfbd1e4e19b8c8b72bf71c633367ad5868b9b9ac4601c17b59775228

SHA512
d84d3d83aa8e1a5121ace4f2c9ffc917e64b6bd0a59474dd5074f05fb341e37ec390478e3037351c3e05061fa8e20a1575dc862285ccca251f933f087aea2749

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMB26E.exe

Filesize
15KB

MD5
9beb53213c4ceb7cf2b6b0e4783b3e41

SHA1
d9fd18ff35d1d3a33675ac126c87d28d7d5cc433

SHA256
99636b02c5e0ff2482a76d30b5e2c3281d93c6a96ea053dcde880e3ced8f70e2

SHA512
6b6c3fa6d7e02976053dd7a06046f8281058b51e436935af8d29f10389ded9e3b06cd3dd5cf13a30a5dc5f197f538f0ece4ec90d5ed89429a9c32fb91c3c1fc9

Download Submit
\Users\Admin\AppData\Local\Temp\DEM741.exe

Filesize
15KB

MD5
aa7a03b1e6b544ea04fef54da1eed91d

SHA1
1b854fe74de78783a1c675ab25320e3346c6d769

SHA256
a6471dab84f01a6e385e61ffb8d804448283be4035e113c3dedc6a00ab5aae21

SHA512
4b4a28014c7d6bfc3beaeac86c12e8de506ee17de6f2ae36def97132f9aafe6188f35e62222a9734d73a6cb9be80dbd7974629fce9784edf7fa686020fa54d99

Download Submit
\Users\Admin\AppData\Local\Temp\DEM770.exe

Filesize
15KB

MD5
90d5792058edef672f17995ee9a759b6

SHA1
d13490295ca3bf0a8d25705255653bba79454689

SHA256
ccc9abed5fd32087bef272371f17c1b1d320909f454cb132c01ec403d57ec03d

SHA512
dc78482cc452bb7478b74767b22e2ef9b6f691892a888c7977afa4264d53ec4f3f0a285d7c8a3fc1ac682a4a900c9d0fb4b4d557f18df8990bb05248980be47e

Download Submit
\Users\Admin\AppData\Local\Temp\DEMB1F1.exe

Filesize
15KB

MD5
c12c8ea38235a45c5e44a37811e9fa03

SHA1
da2bc1c6af2d17055b01573e8e202e06e028f7ba

SHA256
045b069f665e054707d32c2f513b4e19292ad7372ae82245f4bc259dd7f07448

SHA512
7607ef376a5a392386a09897e8f65e2b87592a98e6ea0bf94fde4940e5ca83e7e1d6f239cd7ae098dbcaa2227a0782bebf9450944570fdde78306274d40a28dd

Download Submit

Analysis

Sharing