2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b

General

Target

2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe
Size

12KB
MD5

0839abe90f40c7d5b5894494df0b2bad
SHA1

74d620cd9190d865c7fb5c39dd69ac2cfcb32e52
SHA256

2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b
SHA512

6ff671ba807057b6a140aea48f8007313cbca05128376f274846525091abae8bb2b4b3339e8b9b50880ea29d11c5a7cfba4e6dc3844fcb10bccb4e80c59c7202
SSDEEP

384:pL7li/2z0q2DcEQvdQcJKLTp/NK9xabd:Z4MCQ9cbd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	tmp4C9B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2636	tmp4C9B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2708	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	28
PID 1864 wrote to memory of 2708	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	28
PID 1864 wrote to memory of 2708	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	28
PID 1864 wrote to memory of 2708	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	28
PID 2708 wrote to memory of 2560	2708	vbc.exe	30
PID 2708 wrote to memory of 2560	2708	vbc.exe	30
PID 2708 wrote to memory of 2560	2708	vbc.exe	30
PID 2708 wrote to memory of 2560	2708	vbc.exe	30
PID 1864 wrote to memory of 2636	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	31
PID 1864 wrote to memory of 2636	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	31
PID 1864 wrote to memory of 2636	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	31
PID 1864 wrote to memory of 2636	1864	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	31

C:\Users\Admin\AppData\Local\Temp\2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe
"C:\Users\Admin\AppData\Local\Temp\2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmzi2yhu\cmzi2yhu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5245.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2CDB0DBB8114607A38354E22D1F7D7.TMP"
    3⤵
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\tmp4C9B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4C9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
101f6df53cb3906ef5ff6e363b85bc00

SHA1
d675309c58843211e38da26d516c9a97060be112

SHA256
fa06cb6dfdbc7db828e6483378d209074034d017926a3ba72fba0a18973aa89d

SHA512
d9daef95c9d2dfa6c24bbe82002d396ccc42a8b8cde08c0007e63bd875491a2054f2b64f8a105a0ab064c09f087b16e28cba7a3104fd784e000be1cf4deef321

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5245.tmp

Filesize
1KB

MD5
49298eef42611327979a4f94c0d24168

SHA1
43f2d11f6562743a031b43ab9cdf2fce046e987a

SHA256
875ed7f69710279b9a693005fb5ca19a85fa170b5ae22bc310401a78aef8746c

SHA512
87ce35ea2495f31304446a2bd3330700685ab0d2fbf208bdb7e8af57d1641decb3e5ce3ea84f2edf73190c72702298f1e69446b007b7d3f9f6caf05a842e07f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmzi2yhu\cmzi2yhu.0.vb

Filesize
2KB

MD5
58abf337d148e7691fd75199a71745d7

SHA1
68d2bd869b6064f737b8dc3c3c8b705c85944bce

SHA256
51f7898353faa9f30c7f681b601630981e446ab2146149123f973e598cd4dd92

SHA512
7dab2b16649694c62b5edb8c3742ba1b761f38369cb9897ea665b4b4eca0d31e25eaefcc74e94050832886c038a6675c5e6c89e4d2fea6e065b529cd53e4fc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmzi2yhu\cmzi2yhu.cmdline

Filesize
273B

MD5
f71ecd67d86e351bc44fd824689fa1ab

SHA1
0915108a949b987eaa41fb71af95d3955e5bf5a2

SHA256
2641a5f144f3886ad3aeb5fc63ad70214f368638dee2c5716c4e5ef1552b9cc3

SHA512
8a11efb14f5458aad93968e16757f3605e98189510ef012141fb24736dcafe2f4c1fe97e9186d128c975876c9841e1f2fb3cb6b215238d23970eefefe7dbf263

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C9B.tmp.exe

Filesize
12KB

MD5
24cb66d6bd3e2cb1dcba448e33f222d1

SHA1
6649620f0a9322f0389402d9362ff98a1e1517a0

SHA256
ff2436ed0263920f9c28754ee25026e95f1a886e3bede1cbaee23ba90a7dd076

SHA512
32b47048ba7f9752b8d44f748b6e8ada9846e135d47e36f1b6a3690f7cafe36488737a2c93bf45d7a9c8f99fc74500c6d8051026bfc8c04c963714b87787f931

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC2CDB0DBB8114607A38354E22D1F7D7.TMP

Filesize
1KB

MD5
f829d5023e94f24c08708a721b7a5c30

SHA1
4a3bc3ea74b85f1402134fe77bed01b808b880a5

SHA256
eb1daf1d1a60f52dc9db7f792dc3f4e044cc9faa63c8d323e1a70fb39da7c45b

SHA512
fde047783e1ba82e185168ca73a7b82d1386fe966e64c88a3504e9037e185f96e362a4180e56def35cedc44670d0bf4c190405051a9ee38ba78224c875442377

Download Submit
memory/1864-0-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download
memory/1864-5-0x0000000004620000-0x0000000004660000-memory.dmp

Filesize
256KB

Download
memory/1864-1-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-24-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-23-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/2636-25-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-26-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing