510755ba53298b28033e7d27f2d06992552b40119f0552c80cab31be7d24890d

General

Target

66e48043907ecba24d751435d6cda970_JC.exe
Size

12KB
MD5

66e48043907ecba24d751435d6cda970
SHA1

14eed3aa0187f87e80701fa257cac48f8ac51796
SHA256

510755ba53298b28033e7d27f2d06992552b40119f0552c80cab31be7d24890d
SHA512

6691304fbfaf825bda69e00586dbdde347cda292f3b7053b9c6115c25599a0382b81de89a1ca43a5ba7b3bceac21f3fa5a795cb589cfe4a8435310734dbd399d
SSDEEP

384:UL7li/2zWq2DcEQvdhcJKLTp/NK9xaPp:C2M/Q9cPp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	tmp7A20.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	tmp7A20.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2576	66e48043907ecba24d751435d6cda970_JC.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	66e48043907ecba24d751435d6cda970_JC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1416	2576	66e48043907ecba24d751435d6cda970_JC.exe	28
PID 2576 wrote to memory of 1416	2576	66e48043907ecba24d751435d6cda970_JC.exe	28
PID 2576 wrote to memory of 1416	2576	66e48043907ecba24d751435d6cda970_JC.exe	28
PID 2576 wrote to memory of 1416	2576	66e48043907ecba24d751435d6cda970_JC.exe	28
PID 1416 wrote to memory of 2620	1416	vbc.exe	30
PID 1416 wrote to memory of 2620	1416	vbc.exe	30
PID 1416 wrote to memory of 2620	1416	vbc.exe	30
PID 1416 wrote to memory of 2620	1416	vbc.exe	30
PID 2576 wrote to memory of 2616	2576	66e48043907ecba24d751435d6cda970_JC.exe	31
PID 2576 wrote to memory of 2616	2576	66e48043907ecba24d751435d6cda970_JC.exe	31
PID 2576 wrote to memory of 2616	2576	66e48043907ecba24d751435d6cda970_JC.exe	31
PID 2576 wrote to memory of 2616	2576	66e48043907ecba24d751435d6cda970_JC.exe	31

C:\Users\Admin\AppData\Local\Temp\66e48043907ecba24d751435d6cda970_JC.exe
"C:\Users\Admin\AppData\Local\Temp\66e48043907ecba24d751435d6cda970_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lfvucjp3\lfvucjp3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB4F9227B74D4D4997BB2BE2CA2486D7.TMP"
    3⤵
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tmp7A20.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7A20.tmp.exe" C:\Users\Admin\AppData\Local\Temp\66e48043907ecba24d751435d6cda970_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7c118ed573e27fa4682122709fcf00f1

SHA1
e10f907fd0e1e80d0c51fd5c90916fd156f1b734

SHA256
adcb7b3919ddd9f76c3fd74b2a76d4bf08b26f4db702db4a747be92e9c9a8cf3

SHA512
ef477820396f7585aad5cf528e42905d91484000ef1e8ffbb7f44ec256a4f06e822acee5c1bd9df42d84e2a44b6ce610ecee0756619f8a692705d2a99d3e9599

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7DA8.tmp

Filesize
1KB

MD5
0fe7325139ff84f0009b90eaa016cd88

SHA1
12da186581f3c536d0b60f32e45ede1bd090328c

SHA256
2fce5ee32eaba650939d1ab1ef3718ee65ebe8fe8d7a89ae374798203dfa6e11

SHA512
7871d51d9b9d19d8212b2553f0ffdcc40380721edc59e0f10772422b8c55f1fa387dedd28e3dbafea24f8dcac587bd77ef892b01c94090a1b7ac7616b884d612

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfvucjp3\lfvucjp3.0.vb

Filesize
2KB

MD5
8ba91343750e7c4455d6fa3128c0149f

SHA1
ae24a2735c968566c21236df257ca670d543750d

SHA256
c04eede2b9e2bfebcf3554a374d1cc68ff1228918867ea23365373b98c0cf569

SHA512
36d7c57790b68326608e69cef7164ca7b683b6f20cb60190cae82aa24b2ed11a7d2ee4fe650534c817dd14516fd9ebd54fcdb0f6e75154cb8081432be57b928d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfvucjp3\lfvucjp3.cmdline

Filesize
273B

MD5
1db9f2f1ad234f39edf2dab1866ddcc9

SHA1
0de9a2d5987dde8f2fab0d7389276c9d4589b19f

SHA256
6b558e97ddcb50781a9ebc0f7617658a257e5fa98ddaca9a19410a878049797f

SHA512
a6855cf3025baf945fa68d6e031e63c7268616ee70cc69bb4d7e63f970406737a6a9d5e73b612e2e600480116e8cf9ace02c7415b27234eefc310e57efa7de1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A20.tmp.exe

Filesize
12KB

MD5
d43a4026a98dd4c765143872ba2891e8

SHA1
826a628e5253d79236acbd8dded951eef4c139a6

SHA256
bb2eb75f4d4d92c81f790bf8f1386049ed789f6df8b8635750d6939e83c1f750

SHA512
a1bb3a425106a9d7a9ac3ceea9d919566e11ae56cc4012fd97da66d40d8270c87cb1a981c2c6c560afd55721bcbdd75a4104e52c11b398bfd8c5714076071a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A20.tmp.exe

Filesize
12KB

MD5
d43a4026a98dd4c765143872ba2891e8

SHA1
826a628e5253d79236acbd8dded951eef4c139a6

SHA256
bb2eb75f4d4d92c81f790bf8f1386049ed789f6df8b8635750d6939e83c1f750

SHA512
a1bb3a425106a9d7a9ac3ceea9d919566e11ae56cc4012fd97da66d40d8270c87cb1a981c2c6c560afd55721bcbdd75a4104e52c11b398bfd8c5714076071a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB4F9227B74D4D4997BB2BE2CA2486D7.TMP

Filesize
1KB

MD5
37e1951f4eba6a2e2f17eb107dcb5fe6

SHA1
eac9b6ca485ff2b55b6e40c7ec639be58363b2a5

SHA256
57f32623c75c814de4ca4af66f15d19e5662c56be4a24d1c5ae60b67018ed3d5

SHA512
3695549fc7a92e37dcf1a306e9f94865699e55b3a1f08349b45d509511874cb9ebdf19582903631e89bdec73f499ea212d2c9ed1bbd3dc62bdd5259f4c964669

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7A20.tmp.exe

Filesize
12KB

MD5
d43a4026a98dd4c765143872ba2891e8

SHA1
826a628e5253d79236acbd8dded951eef4c139a6

SHA256
bb2eb75f4d4d92c81f790bf8f1386049ed789f6df8b8635750d6939e83c1f750

SHA512
a1bb3a425106a9d7a9ac3ceea9d919566e11ae56cc4012fd97da66d40d8270c87cb1a981c2c6c560afd55721bcbdd75a4104e52c11b398bfd8c5714076071a58

Download Submit
memory/2576-0-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/2576-4-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2576-1-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-25-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-23-0x00000000012A0000-0x00000000012AA000-memory.dmp

Filesize
40KB

Download
memory/2616-24-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-26-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing