Overview
overview
10Static
static
10[DemonArch...f3.exe
windows7-x64
10[DemonArch...5e.exe
windows7-x64
10[DemonArch...a8.exe
windows7-x64
10[DemonArch...55.exe
windows7-x64
[DemonArch...9c.exe
windows7-x64
8[DemonArch...ac.exe
windows7-x64
10[DemonArch...0f.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
8[DemonArch...5a.exe
windows7-x64
1[DemonArch...c4.exe
windows7-x64
[DemonArch...f3.exe
windows7-x64
10[DemonArch...8f.exe
windows7-x64
10[DemonArch...85.exe
windows7-x64
10[DemonArch...92.exe
windows7-x64
9[DemonArch...5b.exe
windows7-x64
10[DemonArch...59.exe
windows7-x64
7[DemonArch...0f.exe
windows7-x64
10[DemonArch...61.exe
windows7-x64
10[DemonArch...16.exe
windows7-x64
10[DemonArch...23.exe
windows7-x64
[DemonArch...6d.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...5c.exe
windows7-x64
10[DemonArch...52.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...fa.exe
windows7-x64
10[DemonArch...f1.exe
windows7-x64
7[DemonArch...7b.exe
windows7-x64
10[DemonArch...02.exe
windows7-x64
10[DemonArch...80.exe
windows7-x64
[DemonArch...c8.exe
windows7-x64
8Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:22
Behavioral task
behavioral1
Sample
[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
[DemonArchives]02352cbf001e9c8176a5b7d381ef9b5e.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral3
Sample
[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
[DemonArchives]04a8e202d70a574213680cdb7c82fb55.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral5
Sample
[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
[DemonArchives]07fe5f7c673e5faa200611f9cb716aac.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral7
Sample
[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral9
Sample
[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
[DemonArchives]0d061414e840b27ea6109e573bd2165a.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral11
Sample
[DemonArchives]1192a915b81f1f7878472391f42cb6c4.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
[DemonArchives]14049d0a3afad0faa21ab1fff2e417f3.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral13
Sample
[DemonArchives]149dd5469233f52aa4287362ce85b88f.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
[DemonArchives]1df7772347bfd34ecb1685a1ba69c285.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral15
Sample
[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
[DemonArchives]1ee7f65b0c08c4ff7e1047c14851575b.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral19
Sample
[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
[DemonArchives]26add802e0e75416385317658b116216.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral21
Sample
[DemonArchives]2bf9e607accd325cfb734cd594b00723.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
[DemonArchives]3825817f6028f26ff0b5cd748559286d.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral23
Sample
[DemonArchives]3e70eabf850c2134ac1acd815a2a90af.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral24
Sample
[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral25
Sample
[DemonArchives]42971155e95ad8ace7b6fc53d70fb952.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
[DemonArchives]47522f57257b441811cf5f87c9118faf.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral27
Sample
[DemonArchives]4782545d269557614be88caef0383cfa.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
[DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral31
Sample
[DemonArchives]550ad0e50316dfca7c0bfd14f9060880.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
[DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
-
Size
2.3MB
-
MD5
4c1ca9436c971190f7082f5c108a007b
-
SHA1
a0470142078e03bf83169e552a64cfab44e78161
-
SHA256
09e2c5ca4563ed428e6605eb913334e0d6b5d54a71a78430f7e2ab04ee019f18
-
SHA512
c8cec318444354e8629d605f6848550aeceed2b1c20c5dc7c6dc0d0115b42a5d9925ae970e799c8c383ca48d71f3a7626196c21ed3b211d81a8216d601d58ef4
-
SSDEEP
49152:VtRTbTA8wMrztXdpuBkGZ+PyZAsQmPrx7tAwi2x8xp:9bTA8wMrz9mBrZ+PxsQmPrx7ty2x8v
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\xdccPrograms\7zG.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\jar.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\jarsigner.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javadoc.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\ieinstal.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\appletviewer.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\mip.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\msinfo32.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\elevation_service.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\setup.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\extcheck.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\jabswitch.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\javah.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\notification_helper.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\jarsigner.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javac.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\javap.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\appletviewer.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\apt.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX4696.tmp [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\jar.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX4695.tmp [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\sIRC4.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\master_prefere.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX4674.tmp [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\java.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\chrmstp.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\javac.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\7z.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\7zFM.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\TabTip.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\msinfo32.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\chrmstp.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\master_prefere.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\elevation_service.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\apt.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javap.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\xdccPrograms\7zFM.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\7zG.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\xdccPrograms\mip.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javaws.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\ielowutil.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\java-rmi.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe File created C:\Windows\SysWOW64\DC++ Share\javadoc.exe [DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5b126345317624479f78fbf30b3a1fe5a
SHA1655c966bf7bbf96ee49c83062d30b9dba17d693c
SHA2568723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301
SHA512d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d
-
Filesize
2.3MB
MD5739b62bf6f42f7d7bca3a77ec309e439
SHA1bc02203c1ba3e720225ee5f26cb23ff8d101ad99
SHA256133d425a8e5738b69e218ebc1bd2a4b7035365d8d7b21c4e8f81db5d81cc78f7
SHA512ba81c352d45aabf2441977360988dcd36942d675811f92afb2e5b53ae2a06ab6aff44e05fe599d120a06cacd6b4120d98352bad78fe0b81c174eb2bc044cfe01