c95c0a1bb19e0710cadf18a1a5919a4ca094bed708f8f5078e462417255483db

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f134fe8ba9f40562d5d95d31bd02c6.exe
Size

33KB
MD5

39f134fe8ba9f40562d5d95d31bd02c6
SHA1

f6b15e8b9c6e6b79694efc427bfcc0806802d3dd
SHA256

c95c0a1bb19e0710cadf18a1a5919a4ca094bed708f8f5078e462417255483db
SHA512

5a275e702f27b9e6b111ef8d6674acb0c31452a9c9cacd38c19a95ccfbd9bfad5dd6c4dca18fb89806d2de25a71335ba96aa7c01867f73d446db373589ab65fa
SSDEEP

384:bAvMaNGh4z7CG3POOvbRSLoF/F0QU5XYFnufc/zzo6cJ3v7TI8:bAvJCYOOvbRPDEgXRcJx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1788	demka.exe

Loads dropped DLL 1 IoCs

pid	Process
912	39f134fe8ba9f40562d5d95d31bd02c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
912	39f134fe8ba9f40562d5d95d31bd02c6.exe
1788	demka.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1788	912	39f134fe8ba9f40562d5d95d31bd02c6.exe	28
PID 912 wrote to memory of 1788	912	39f134fe8ba9f40562d5d95d31bd02c6.exe	28
PID 912 wrote to memory of 1788	912	39f134fe8ba9f40562d5d95d31bd02c6.exe	28
PID 912 wrote to memory of 1788	912	39f134fe8ba9f40562d5d95d31bd02c6.exe	28

C:\Users\Admin\AppData\Local\Temp\39f134fe8ba9f40562d5d95d31bd02c6.exe
"C:\Users\Admin\AppData\Local\Temp\39f134fe8ba9f40562d5d95d31bd02c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\demka.exe
  "C:\Users\Admin\AppData\Local\Temp\demka.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\demka.exe

Filesize
33KB

MD5
c7fb12bf5adceaac08090e1bfaf8de0d

SHA1
6c45f3f6bb52e1f7c12fcdfe78fcab651ea1c105

SHA256
7c676ed3c7b34922adb93fdc437a2aeb97976b01c652d57511945f1ef535791d

SHA512
b8733eed360e7bbad81f1c2d0ec179fab76e8e93dc68f10d8ab3686218285757f7e9394350cb8b690d4efe8c491783dbfb4f943c3c822f56d5945e84acf43a2d

Download Submit
memory/912-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/912-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1788-23-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download