af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31

General

Target

af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe
Size

12KB
MD5

13cfc27ba2a7fcb26c537c9c613e6f0c
SHA1

660c977f4d56f736362f37741789da57c704c2e3
SHA256

af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31
SHA512

5c7074ed4d4be795c0df07468bfd795574bfb96c75397d84d135b2c2a437da4c684650c6f3149ad81a240cf7dcca8a4fe9da74a998b6f970d2d265f29566a804
SSDEEP

384:mL7li/2zpq2DcEQvdhcJKLTp/NK9xa19:AxM/Q9c19

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	tmp70FC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	tmp70FC.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2984	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	28
PID 2316 wrote to memory of 2984	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	28
PID 2316 wrote to memory of 2984	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	28
PID 2316 wrote to memory of 2984	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	28
PID 2984 wrote to memory of 2768	2984	vbc.exe	30
PID 2984 wrote to memory of 2768	2984	vbc.exe	30
PID 2984 wrote to memory of 2768	2984	vbc.exe	30
PID 2984 wrote to memory of 2768	2984	vbc.exe	30
PID 2316 wrote to memory of 2612	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	31
PID 2316 wrote to memory of 2612	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	31
PID 2316 wrote to memory of 2612	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	31
PID 2316 wrote to memory of 2612	2316	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	31

C:\Users\Admin\AppData\Local\Temp\af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe
"C:\Users\Admin\AppData\Local\Temp\af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifltaakb\ifltaakb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7417.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14D86DD21178418489F28E6B7878F0F3.TMP"
    3⤵
    PID:2768
- C:\Users\Admin\AppData\Local\Temp\tmp70FC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp70FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
15210095f5e51b3906c35a952adf4f34

SHA1
db24a64ca980bacaf27ac433a6ca10158517c687

SHA256
4f9b289383403695bf11ceb1eb524332372abac476d9ada4424177e27a93ab05

SHA512
31a92760e1d70800d79f802e52076218a01ee5bdb7c1093a687005ec451d08b9b3485f92c53344a89acbcf84d3b5b7030350845140e9c418d18b934befdf8166

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7417.tmp

Filesize
1KB

MD5
8752b62c71975cb7f4bf45287a91804c

SHA1
1044642505ec793f142acb4c3f339d55a9f8437d

SHA256
bb6c626e95b3e614222bdc2de0f7159b2f698a890e8b30ffa2d2aee04a743d98

SHA512
addea392792449b9ba5132fcb0e905c5338b3e9516f68b64b2404db393fa1b360f82a6fbfabd5656bda697032895f5a28f8c325ab8ab21fb214aef2cebf92611

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifltaakb\ifltaakb.0.vb

Filesize
2KB

MD5
823ef7aaae1ac87312a7dc9c5c70cbab

SHA1
e90ff193964e4448783f77292c89e681bd27b5a4

SHA256
3729679b8858f9c8b454bd768317bda2f1678bd3d8796a36fafa8c95efd50d17

SHA512
b6bcb9281cadd9f2ed5c45b59eb4a111b444ef7f5d21d6312465682dea67851f29b36b98dd2169c70ad77d1a76df8f038d321225cbe407e64f724a50bd754972

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifltaakb\ifltaakb.cmdline

Filesize
273B

MD5
1379569c985d7cf37d5336018a0fa6b1

SHA1
699bf25727ac3694790573111083218210f60e84

SHA256
30439cd5bdbb9e4bdaaf8c5a435de0527a2d44e146a11212b929b23a08eb027f

SHA512
078d5e3a6829326a0b0f75a0375cfdfef1ea0cbdd0e924f121711fc29c8e211f3dd1cf3eaf6775ccfeb2960f7bd56d3eaebf4503286b4521d5490253ea3898fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp70FC.tmp.exe

Filesize
12KB

MD5
e95d60e78c31f910f3a25742529577ba

SHA1
1be74f084fdd0e8a2aa2f74536e2530aa4ac0b54

SHA256
c3cedf30e30e68e330d108b94449f134a1c3165bb528bd8a816aa29675f438cb

SHA512
ddf5a34f8b687ad47d5c5ef344d32c6909eb83feb7c4a2d44a0dedd59c6e41e328ee0898b8ca597d6c6c993d866b1256e39bd577113dc569c98d0ae2eda2976a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc14D86DD21178418489F28E6B7878F0F3.TMP

Filesize
1KB

MD5
77891d5686e5273e342ef47f22d08bee

SHA1
d185cfbf9d3cb2801f0210ec704a967c25682b08

SHA256
3d0c85452e966f757b37610541369199c8583ca57ba8ca6a52eba4c76aa54666

SHA512
9a907ed24ba7248f5780e41bcdcfe47b44a2a58f64ce53f02767a6e68fee4924fd70a96a360b3b9c100e17743498f95150a3cb97a584d77e013e2577e2012259

Download Submit
memory/2316-0-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/2316-4-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/2316-1-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-24-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-23-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-25-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/2612-26-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing