370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878

General

Target

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
Size

34KB
MD5

8223ed91a842abd590bf94d3547648ca
SHA1

16911011bfd074c1e94feedf3099b7588bf64772
SHA256

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878
SHA512

fff0c118ee8c2d32e88587d485b5ff8c2a67c516d4926fb84af4e99eacd7f8fb34e0732fb536bf51efd4ccc7554c45044e5c5945720700bd8f8ba8d9b2a29a1e

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe

description pid process

Token: SeDebugPrivilege 1092 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1092	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exevbc.exe

description	pid	process	target process
PID 1092 wrote to memory of 4440	1092	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 1092 wrote to memory of 4440	1092	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 1092 wrote to memory of 4440	1092	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 4440 wrote to memory of 2836	4440	vbc.exe	cvtres.exe
PID 4440 wrote to memory of 2836	4440	vbc.exe	cvtres.exe
PID 4440 wrote to memory of 2836	4440	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
"C:\Users\Admin\AppData\Local\Temp\370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5bkgpkyi\5bkgpkyi.cmdline"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CDAE3A5DDD94F6C9C89BC106BFCA231.TMP"
3⤵
PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5bkgpkyi\5bkgpkyi.0.vb
Filesize
211B

MD5
8bf1f067bb325b1661d32546c57e8ce6

SHA1
3e993c7fcf91fc17c78a5c8e23b48bd2d285c32e

SHA256
348f4579b19f45c9c8a4bd1434a4641a775b728a17988d850f9f18793aa4149d

SHA512
80b393f2e12f48c962bddaf34d7715af9a4deaf7c535f9ebd006033c5376395d4bf560be06a942a26ee4d9d5e99ab7bddbe72b4546ea804c4f0110bd7eeb00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bkgpkyi\5bkgpkyi.cmdline
Filesize
203B

MD5
75a66fe5a7ffb6210cf42375ce250899

SHA1
1681ffe8b65c68ebbcf5c421c5eb99bba9218611

SHA256
7eba0da84fb0af3cc8b225ba2e79e5d07e59aba130220595af22358f275f408b

SHA512
0c18f344481eb6f55e0e0e3d9bbb9ad63839d9527eab0e23ddd05800a5edc3094eab142add4fe9b508edb768ec81010ad9fd075000d7f11abf508285e410e3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp
Filesize
1KB

MD5
7e67861cd1657f309acd86439e23ec37

SHA1
b1043e65d3bb97c683706bf2f3281e8e798927de

SHA256
4e7c2cffa7b931c649cbfb8dd0d42594a5771a622ed52cb542824ee4fd6e2f48

SHA512
1ff6478f35b56c2f4e5552fd89cac57c46c4442e92a145929898cdb22ae1beef2303072c9318962b3de90bfe06a498c499dff54bcaf7c02c0991076513acd748

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CDAE3A5DDD94F6C9C89BC106BFCA231.TMP
Filesize
1KB

MD5
e9144225655a1177485a6238f397718e

SHA1
0618d989814312c38b8005fc469222f891470642

SHA256
f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d

SHA512
392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4

Download Submit
memory/1092-133-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/1092-135-0x0000000005B60000-0x0000000005BB6000-memory.dmp

Filesize
344KB

Download
memory/1092-136-0x0000000009180000-0x00000000091E6000-memory.dmp

Filesize
408KB

Download
memory/1092-134-0x0000000003300000-0x000000000330A000-memory.dmp

Filesize
40KB

Download
memory/1092-130-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1092-132-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/1092-131-0x0000000003340000-0x00000000033DC000-memory.dmp

Filesize
624KB

Download
memory/2836-140-0x0000000000000000-mapping.dmp

Download
memory/4440-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing