0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810

General

Target

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
Size

78KB
MD5

9b4497259f9f858244023de231400892
SHA1

08600ea0e22ae8e5168ec56a359d75ae2cf9b413
SHA256

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810
SHA512

777ffca5982119d346d601c4a6b2e4cefae9e5c05b29312c0676d6ed45478d829524ff3a14885a6fc2e4a27235ad897021342b71665f890ccca2a575397432a4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp4905.tmp.exe

pid process

2996 tmp4905.tmp.exe
Deletes itself 1 IoCs

Processes:

tmp4905.tmp.exe

pid process

2996 tmp4905.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2996	tmp4905.tmp.exe

pid	process
2996	tmp4905.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp4905.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp4905.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exetmp4905.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
Token: SeDebugPrivilege	2996	tmp4905.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exevbc.exe

description	pid	process	target process
PID 1052 wrote to memory of 908	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1052 wrote to memory of 908	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1052 wrote to memory of 908	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 908 wrote to memory of 2596	908	vbc.exe	cvtres.exe
PID 908 wrote to memory of 2596	908	vbc.exe	cvtres.exe
PID 908 wrote to memory of 2596	908	vbc.exe	cvtres.exe
PID 1052 wrote to memory of 2996	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp4905.tmp.exe
PID 1052 wrote to memory of 2996	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp4905.tmp.exe
PID 1052 wrote to memory of 2996	1052	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp4905.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
"C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hj0-2r5d.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA569891ADCC41608BF993838AFECB1C.TMP"
    3⤵
    PID:2596
- C:\Users\Admin\AppData\Local\Temp\tmp4905.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4905.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4CCE.tmp

MD5
50033cff34bbb3b4ea898402ff14ab38

SHA1
f50a71619e5844fed029c620e42bb16d7428f44b

SHA256
36a881a27321066a34ac0fed8b94ad8806ea0a43debad078ad941ad39e889797

SHA512
5d2ac420f53cb151827cadef46f3a73681d0ebfe9ec4da54ca1576ee0988d583b00f0820861a2e70d7de101a9bd95a3f79d4ffae6b8acb661658da3d68977451

Download Submit
C:\Users\Admin\AppData\Local\Temp\hj0-2r5d.0.vb

MD5
6d99deea0436e0f3abe7ff2e1b471542

SHA1
787f6e736717869aa5197970e5dda40a2d8ef5d9

SHA256
a774fa76482b79e9086da5c603c81f6e246cd61032dc004925e3dc720aafaa01

SHA512
e92ad5cf8e2f3a952b774d66a9526e403faf2772258f1270bb31de1bb39e48a983b7a1ba9b5345b30c5f14e3e6e5b2fd930f0f941d62d1ba7836664d6bbfe608

Download Submit
C:\Users\Admin\AppData\Local\Temp\hj0-2r5d.cmdline

MD5
52cf99c9bd16b4b01b91dfc26f4a6a47

SHA1
b2deda443de9df8d7714778fe1b58728133f13df

SHA256
1ceb37aecc0bb64fe68abf9c7f6c5ce56023ad066ace6639e425b937e9398ea5

SHA512
4554afa1c5a4703b84a3e408a30388b39eab3833b2b5c110fca527ca2c0cdfcfa76adcece3108a56bd17bf94f9b4cbf10f8924cafea47e07cbbe1020282c26a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4905.tmp.exe

MD5
6d39166faf3d138d312de1dd966af00b

SHA1
6bcd7313a3f5be5fbac5488db2302cf63010267a

SHA256
e7ffb13d1dd4371ed08c872e26e00658967c576300dd647911035a46acb7e0ac

SHA512
bab4083a2f00c0802240f60d97d8e2477dc275b678cb07d055eac284617c5d3ef840aba2684e3f462d2db3241825186eb6b16cca6d60f5646dce44abbdd55169

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4905.tmp.exe

MD5
6d39166faf3d138d312de1dd966af00b

SHA1
6bcd7313a3f5be5fbac5488db2302cf63010267a

SHA256
e7ffb13d1dd4371ed08c872e26e00658967c576300dd647911035a46acb7e0ac

SHA512
bab4083a2f00c0802240f60d97d8e2477dc275b678cb07d055eac284617c5d3ef840aba2684e3f462d2db3241825186eb6b16cca6d60f5646dce44abbdd55169

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA569891ADCC41608BF993838AFECB1C.TMP

MD5
e69aa063f3d26612f10940154203e037

SHA1
aeb07aba0e5cbf383f58b5241460105ef4841125

SHA256
d1d23584eb070ee95d6b1f2f167f499874d91695acd405e9348129bc7f3fe60c

SHA512
2ca4b4193959ff6040538fcd88a152299effaf1c35794cb08ca8c14f8376647a285b19f9d4833103ca03dfbb6ed7e3bd03ed7f9e9765f9046ac98c0bebf31398

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/908-11-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/908-3-0x0000000000000000-mapping.dmp

Download
memory/1052-2-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2596-7-0x0000000000000000-mapping.dmp

Download
memory/2996-12-0x0000000000000000-mapping.dmp

Download
memory/2996-14-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2996-15-0x00000000005E3000-0x00000000005E5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads