b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd

General

Target

b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe
Size

12KB
MD5

131836f6c2487318b7115986acb22362
SHA1

bb37da903884a7be724405d7020b02ccf241cdbc
SHA256

b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd
SHA512

dbb89dda1b9d34d454206fb49ef3f425fa49ee9c6eb35d3622aaa6684967466e94015b40de8b0cae79e062c5d33639976f4d3243fa8aa73738194c192e8c66d0
SSDEEP

384:SL7li/2zEq2DcEQvdhcJKLTp/NK9xaBF:MoM/Q9cBF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2892	tmp6874.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	tmp6874.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2708	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	28
PID 3004 wrote to memory of 2708	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	28
PID 3004 wrote to memory of 2708	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	28
PID 3004 wrote to memory of 2708	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	28
PID 2708 wrote to memory of 2608	2708	vbc.exe	30
PID 2708 wrote to memory of 2608	2708	vbc.exe	30
PID 2708 wrote to memory of 2608	2708	vbc.exe	30
PID 2708 wrote to memory of 2608	2708	vbc.exe	30
PID 3004 wrote to memory of 2892	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	31
PID 3004 wrote to memory of 2892	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	31
PID 3004 wrote to memory of 2892	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	31
PID 3004 wrote to memory of 2892	3004	b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe	31

C:\Users\Admin\AppData\Local\Temp\b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe
"C:\Users\Admin\AppData\Local\Temp\b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gbgguojh\gbgguojh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE16EA2F20FE405C91E42386ACA0DC35.TMP"
    3⤵
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\tmp6874.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6874.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b555d50be8049452fdfcb1a4ec4e8399a1f0db55458428281a3ed3c3c933a4fd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e836aae86a524fd980a9cdabe2fa7147

SHA1
57444236eebbc1533f59cfe860866e4c582c0a3a

SHA256
da7237c9d90b505f311f44e8fd9227a828a21983c7630245fc0b6e6d3abe75c7

SHA512
65aeab8ba8e271f23a5ce8f8cf4fcdef738d7bc034789946c555b6573869a3b7062409b202278d4620b194f4d3c4d116f7cd4cfda620d02cb9483433eb5a6099

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES69AB.tmp

Filesize
1KB

MD5
33a2faf347f96e2bb3f9a2f4e9f50b78

SHA1
0f10fa1f0b733353ec7c042dbaadd84a043cc847

SHA256
2e05a9ff99ece2012540b4f34a619ae2579b00f38938cd592f04c1d01f2fcf0f

SHA512
d9df5e28548069f9ce3741af53dfdc2a05adee9547b58a14dc0c1ff2026d918e43881025084673a5ce95e2fc43dd28e390a916ebe66fccae9d0cd1531a3182d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbgguojh\gbgguojh.0.vb

Filesize
2KB

MD5
efbc82505e3e23540bb4b7f96962647c

SHA1
2fc1222b9266b35d7768ce721b110e7c45921b70

SHA256
859305c485bc6fe45df362ad63a3904f1fc78ebe17adfc218fefc0f9ae1445e1

SHA512
a1a23cc6ff3ba6ac6e11b98787671a1b23ee6db7bada213a142891e0a6cb11b5b518aff54ed8a57cee8211af0995de833a052f31a0ef374eafbf3c75dcbc6b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbgguojh\gbgguojh.cmdline

Filesize
273B

MD5
9c88d489354dd783e81480b367151b0f

SHA1
e5ca363ebaf719eaa36f5b8692964a4b485a28ae

SHA256
8d7b2a6cc4898a3f69883ca79ae6d22ad7daa7cacffcf50675bcbc6b39d9b7df

SHA512
97a429e2c55bc7906d0b2b2e073bb2220e59124b8c046354ab627af0778b02cea49b667f9750f8b4365db0bf9a551913f0d4e61a67a5f4a79bb33573bfca6673

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6874.tmp.exe

Filesize
12KB

MD5
f78438f7357703891f01c09a5ffe7da0

SHA1
dc96e2bcd947ab7def6d89438170dc762e4aa6b2

SHA256
7f2cc373131d4f5c1b4cdce7e6db6004c13757b1bcd61816850580c3a996fe4f

SHA512
a7ec4dcf78644a28eda747f387534e9d63e5ae349c42c9120afc2c381603841113f075fcc858d6fad5f8e728d21cb1b7b7309218b1e5582e6beb7fef37f94d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE16EA2F20FE405C91E42386ACA0DC35.TMP

Filesize
1KB

MD5
9dfbd6cc200fc67e5322d67d7a1cbe53

SHA1
463ff2449182eef7e21bef4ac739200d2731bba9

SHA256
156916ff03a027fc9fcec448d6eda531aed81cc3976c66a708db50d6d2392767

SHA512
76125e877e5cba95458c1112dcd3b7473851cc68aeea8e142acaafb4c0459cda93adc1709b0b88e167a90d6e676ec08aa829326113461e75520aebd05a3876b1

Download Submit
memory/2892-24-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/3004-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/3004-7-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-23-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing