c9639ea18ab5b8d22599884c025474dd5d1e8a8b86ce64ef6e7f531861210397

General

Target

c516f4ea1d63d75b0eaf0a1db02a3530.exe
Size

78KB
MD5

c516f4ea1d63d75b0eaf0a1db02a3530
SHA1

f2d3bb4d1d31c315797513b64454d6e12c0a95e2
SHA256

c9639ea18ab5b8d22599884c025474dd5d1e8a8b86ce64ef6e7f531861210397
SHA512

420022d4a20a96f15d10ab59a3de08545149e872637237d7bc3574790bb5e92883bbf449eda5880bb4fe4a59650a1fc0230a69358c846862b612dd2733193ebb
SSDEEP

1536:PuHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtLb9/x1JP:PuHYI3DJywQjDgTLopLwdCFJzLb9/9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	tmp8F6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	tmp8F6.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe
1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2892	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	28
PID 1720 wrote to memory of 2892	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	28
PID 1720 wrote to memory of 2892	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	28
PID 1720 wrote to memory of 2892	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	28
PID 2892 wrote to memory of 2024	2892	vbc.exe	30
PID 2892 wrote to memory of 2024	2892	vbc.exe	30
PID 2892 wrote to memory of 2024	2892	vbc.exe	30
PID 2892 wrote to memory of 2024	2892	vbc.exe	30
PID 1720 wrote to memory of 2548	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	31
PID 1720 wrote to memory of 2548	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	31
PID 1720 wrote to memory of 2548	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	31
PID 1720 wrote to memory of 2548	1720	c516f4ea1d63d75b0eaf0a1db02a3530.exe	31

C:\Users\Admin\AppData\Local\Temp\c516f4ea1d63d75b0eaf0a1db02a3530.exe
"C:\Users\Admin\AppData\Local\Temp\c516f4ea1d63d75b0eaf0a1db02a3530.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmlzvkqq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES993.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc992.tmp"
    3⤵
    PID:2024
- C:\Users\Admin\AppData\Local\Temp\tmp8F6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c516f4ea1d63d75b0eaf0a1db02a3530.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES993.tmp

Filesize
1KB

MD5
d43b83a6c03bf627c88f91f2f27d40dc

SHA1
b5e45a8ffa36846936eb340b461eef4da52b5af8

SHA256
7d991f699e8269605623daa5de1b78c0951c2a8ee40cdbdf39bdd4997d00013a

SHA512
4e1047fd6be7f430688bd4f32dfd087e8e9598f4ba6d2f3170b22b4c675ec52bdc141d65903f51c4f819d3a5576febf495f394628e242643db0b6d4516ed3007

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmlzvkqq.0.vb

Filesize
15KB

MD5
ae720129baa46a31e8553c10776dd760

SHA1
30c699088661035f6e1800b90958c4fedddbf1ae

SHA256
e2560cd0fa0bd16bd3c68b1f61c46030a1e4bedd107f6117b802f79460c41d34

SHA512
5a69d6e7102bb1df64c3485103a4ed8726de0fc7a5fa5c0449af734d84759ff481a4c12d219566011ff3b9362c8a8842c8b7f85d32e7c2faf004a03de4e77ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmlzvkqq.cmdline

Filesize
265B

MD5
b4d58e4d0a95bf54abc1c9a41b681c8b

SHA1
c7026a3190a71daa60928de0be729df6294c8cdb

SHA256
3905e19843e0c99c0d8582a376c319cc925e98802f96176cec4c1f3d6ac407c5

SHA512
141f3997a07c33fd77f6572824ae4340154b5c1c1eafd6a96ff66456257bae80ef3ffbebd2fdca4deed884e732ef769ccafa02544ec22705455bb927844b2669

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F6.tmp.exe

Filesize
78KB

MD5
c7800b54189246b9d74e30134ef2e181

SHA1
3997d6a597927c002fd3f006d07b80f91920a5e8

SHA256
137adf82f67931bac90fa42619081cff60d13856aba8456822055ac272db7f90

SHA512
d9d8eedbca48d8c9ea30f626b9a2798b105f47bbb6894de921bd6074579ee065a75774c0eaebbca3eb267b7118064be9dbb44baea5c756f39ad322dabee9436c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc992.tmp

Filesize
660B

MD5
ea97cc14435b313777992da4ad9d593c

SHA1
0714e9d4b0bc09fdc98c41984955860a918d91f5

SHA256
15c4641120b9901afdbead80c5e34698f6d87b70054d263e0b881f8500ca68e7

SHA512
428bf5cb3079a411ae8271c5dc00cd5919743818099200531f08d08f91179bd8a3cd1b11b1a0463514b1aad8537c346fb234e8c3a042199a78d06da54f9f7ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1720-1-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/1720-0-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-22-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-23-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-24-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/2548-25-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-26-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/2548-28-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/2548-27-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing