30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc

General

Target

30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe
Size

12KB
MD5

1b59285a477fe4b5e68f12d1bc1c616d
SHA1

10c30c963d87cb973edf66ec53c60785ca217b7d
SHA256

30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc
SHA512

c057c09b5548b75806aac743c0680095a0b6898dd60f54cc861603b64af43d43f8bad37d7cffd1c3297611bc2f080fb260854bb0e4f031bc3f289619812aeb8c
SSDEEP

384:kL7li/2zADq2DcEQvdhcJKLTp/NK9xa2E:y87M/Q9c2E

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	tmp13B1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	tmp13B1.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2204	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	28
PID 2220 wrote to memory of 2204	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	28
PID 2220 wrote to memory of 2204	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	28
PID 2220 wrote to memory of 2204	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	28
PID 2204 wrote to memory of 2388	2204	vbc.exe	30
PID 2204 wrote to memory of 2388	2204	vbc.exe	30
PID 2204 wrote to memory of 2388	2204	vbc.exe	30
PID 2204 wrote to memory of 2388	2204	vbc.exe	30
PID 2220 wrote to memory of 2600	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	31
PID 2220 wrote to memory of 2600	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	31
PID 2220 wrote to memory of 2600	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	31
PID 2220 wrote to memory of 2600	2220	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	31

C:\Users\Admin\AppData\Local\Temp\30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe
"C:\Users\Admin\AppData\Local\Temp\30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4x0wjfs1\4x0wjfs1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0D53AAF91074A25A7D121FB1307DA3.TMP"
    3⤵
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\tmp13B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp13B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4x0wjfs1\4x0wjfs1.0.vb

Filesize
2KB

MD5
b139963a27db4811c68a7a26b73c0e7e

SHA1
e0bcfb15e71abb3e243082fe8502c4f3ba24069f

SHA256
1dc3c90653a4beb73c27c58c0d84487eb6f4c92074e3043b4234607453582b4f

SHA512
0b19af71232df6985887d8cbc0507a16d0dad6f46c8350de4f568b552234a9fcdb84b5f26f4605e8f3290857097a9e5e60a8ccda830ef3ea5908d93a92718549

Download Submit
C:\Users\Admin\AppData\Local\Temp\4x0wjfs1\4x0wjfs1.cmdline

Filesize
273B

MD5
7bae40a9ff2b778739f153e019b9731c

SHA1
2ce1e76696282c05e5a9b30029ffc06fe0e46d56

SHA256
afa57a7a83476534b6886b1d7000b2efb07932ac43dcd2b0a19b51aca8a5d380

SHA512
7f889c9ef9f4bc2964b1bf762b4773927de9e76d3b458e658735f43e13ca08b1e9ff58716a93fb0948a6cde076e47d8fed04e09b75a36acd93df4547f9dd940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0f70b8bedec2b2cf66f1595f6127a65a

SHA1
79b631f95d2c8578dee882b1ba70279424b6c74b

SHA256
886a60e684a0f2da10f0cb4e2103554c755755d65d7e3fa68c1cb9d96c0a6b60

SHA512
07d52cb41b3aa5d227c9c692a804ebae5be292b4137edb05ee6ffaa6c002c627a046c8a4ecf4a5df9c17f55c11c864b94f60b00e7ffffd49635329359fd20b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES148A.tmp

Filesize
1KB

MD5
43fc1f35113a93e225314f9c2f9db374

SHA1
eb3fa7a82044e6ff8c6c1bebe5aed0cceab833b0

SHA256
a11aa76dc2ac9fda287984fcb259b5fb34c55845537910a12299faa21c33122d

SHA512
ecd0b1873034a6e0bbde8698d5de76d1e0b8a6526ad6ce1ee969300430afd120c8da97299b929d2529ca175df9c2481a826619719960af9975019b5a33def32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13B1.tmp.exe

Filesize
12KB

MD5
20014a3a7b82020551667aa0dc6a3cd9

SHA1
0d04346e31eb526fc26d6252344099a6e1f29e1c

SHA256
12bb451e7a879bca5e5495d3b23556b2dc76c8537dcd5c75e950b7d3eb12651b

SHA512
71c1bcca1804ef7a9481aca878c4196fa6d958be30578d24146d7252544fdc8ff6c1584b852e28f583fd42f16cf8bf3cc2d906502476544fde5273ffd906b618

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB0D53AAF91074A25A7D121FB1307DA3.TMP

Filesize
1KB

MD5
b093190eee5eac03994d55c547bbeadd

SHA1
0ed98918afee7af4be73e9cb592ab23197ebbb34

SHA256
c3208b5b341a8b1bf1b3f5288fec15bada8cb34b837f4f8bb8465e8600d95212

SHA512
008378aa4aaf7a59f7915b790e9e6fd20d06162ec67ef440b8b119322ac4463b0136580dfb51598271e2c0f73a2f7c115967c91959e5e06493d65b1648597205

Download Submit
memory/2220-0-0x0000000001350000-0x000000000135A000-memory.dmp

Filesize
40KB

Download
memory/2220-6-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2220-1-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-24-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-25-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-23-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/2600-26-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing