3ac8676a1a323bf1b9346c002e4cc9e67b976d16607ff85b95ef1ae7e0774830

General

Target

59e4d7381bc4f6fb0ecab5dae0ea4524.exe
Size

78KB
MD5

59e4d7381bc4f6fb0ecab5dae0ea4524
SHA1

ff2069e6e43edbbcfdb1d3af7dea764b7cddacec
SHA256

3ac8676a1a323bf1b9346c002e4cc9e67b976d16607ff85b95ef1ae7e0774830
SHA512

f1479b03154d3bfbfefd8bdafc9901b358899e1ae53d4d9c31057ad154c39078fad54fecc6348c64a697e20f9163a3eeb5003ee2945d06bbff47d8b752e270c6
SSDEEP

1536:buHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteR9/+R1rI:buHYn3xSyRxvY3md+dWWZyeR9/+Y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	tmpCFC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe
2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpCFC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe
Token: SeDebugPrivilege	2744	tmpCFC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 616	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	31
PID 2988 wrote to memory of 616	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	31
PID 2988 wrote to memory of 616	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	31
PID 2988 wrote to memory of 616	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	31
PID 616 wrote to memory of 2236	616	vbc.exe	29
PID 616 wrote to memory of 2236	616	vbc.exe	29
PID 616 wrote to memory of 2236	616	vbc.exe	29
PID 616 wrote to memory of 2236	616	vbc.exe	29
PID 2988 wrote to memory of 2744	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	28
PID 2988 wrote to memory of 2744	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	28
PID 2988 wrote to memory of 2744	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	28
PID 2988 wrote to memory of 2744	2988	59e4d7381bc4f6fb0ecab5dae0ea4524.exe	28

C:\Users\Admin\AppData\Local\Temp\59e4d7381bc4f6fb0ecab5dae0ea4524.exe
"C:\Users\Admin\AppData\Local\Temp\59e4d7381bc4f6fb0ecab5dae0ea4524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\tmpCFC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCFC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\59e4d7381bc4f6fb0ecab5dae0ea4524.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8a9fiqqa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78.tmp"
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a9fiqqa.0.vb

Filesize
15KB

MD5
23bb940f688ed26c9c80783f5f2f9022

SHA1
ae9ffd6995131db458428d1cf7fc34117953a22b

SHA256
4ee64a38dc74feb54be2bdcb2a17de1ec6e8e5207051654352ab920562ec0101

SHA512
c08ed8abf789715c6c049ab1805c81e215b0635d922ba1fc9c79ac6f2da2e4f879b2cff0448affbe0cffd7f0d9e42b98f7514701e7ede221569190b7ff46a15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a9fiqqa.cmdline

Filesize
265B

MD5
8016e53a39a442f055a89b32be9b5760

SHA1
0839ef3d80f49183c0f3d69a8beea0f25677658d

SHA256
4e3d32db3cd4b3a7d235badaf8ace564877d21002e7fec6582fbb673bc8bfc39

SHA512
fe72faa2076465fe4c2811bdef00f2ba917cc0ccd8b9b58bf048c6f7ba2dc154ffa9e60640751ba020a0e39fa09451ec0016b17b8cf2270de5e4762794223f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFC.tmp.exe

Filesize
78KB

MD5
8e5c1473f41d84e6491e7e5289809c7a

SHA1
c98f8952185f41c505d57e55c1560d94ab2ac976

SHA256
5fd911556b137792c054739ee9623a61723f44959b4e34eabc580ccb504561ca

SHA512
a00caa1975792ed92cd75c3146a81188adb30265b3dac7420f90a7cf154e9ff08e1ade87b539fd8f5007e0fd41a5d486e22953da6beb570ce80ab2c1f7098794

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD78.tmp

Filesize
660B

MD5
28bb4a84cb195a68f3d6f0d84648251a

SHA1
7a188c28b632d14d1aa6305e5c801b6cd46b8074

SHA256
34dcb87fb3c7b352d2bb2d88edc1b6183586e239b8962f64930f8f0c97a32654

SHA512
d5751712beec3ed446dfd48e1f1171acc374723f11d25c5f0e0252345a345b0122f0aff8f069df3b677b6dabe47101a08efd15413d090aad9fab7802407aad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/616-8-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2744-26-0x0000000074FA0000-0x000000007554B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-25-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/2744-24-0x0000000074FA0000-0x000000007554B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-28-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/2744-30-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/2744-29-0x0000000074FA0000-0x000000007554B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-23-0x0000000074FA0000-0x000000007554B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-2-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/2988-1-0x0000000074FA0000-0x000000007554B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-0-0x0000000074FA0000-0x000000007554B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads