d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f

General

Target

d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe
Size

12KB
MD5

a8fb127024233ae9d6b40caf8f90a728
SHA1

08561ca27e072752a79dbb456819ebb84871c0b4
SHA256

d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f
SHA512

c71a7303d305e74eb3007e182649849aec71ef254f29afc1a7daa4c459d2e3d65997e23d997d4c854255911eeaafcf2d7a4495ad42c71b4f9b9ab964eb4cc5f3
SSDEEP

384:VL7li/2z2q2DcEQvdQcJKLTp/NK9xayl:1mMCQ9cyl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	tmp1640.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	tmp1640.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2820	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	28
PID 2372 wrote to memory of 2820	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	28
PID 2372 wrote to memory of 2820	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	28
PID 2372 wrote to memory of 2820	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	28
PID 2820 wrote to memory of 2116	2820	vbc.exe	30
PID 2820 wrote to memory of 2116	2820	vbc.exe	30
PID 2820 wrote to memory of 2116	2820	vbc.exe	30
PID 2820 wrote to memory of 2116	2820	vbc.exe	30
PID 2372 wrote to memory of 2676	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	31
PID 2372 wrote to memory of 2676	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	31
PID 2372 wrote to memory of 2676	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	31
PID 2372 wrote to memory of 2676	2372	d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe	31

C:\Users\Admin\AppData\Local\Temp\d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe
"C:\Users\Admin\AppData\Local\Temp\d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\02szfjwg\02szfjwg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1748.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D8203952DF4B1BA06A6973FAE496B.TMP"
    3⤵
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\tmp1640.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1640.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d45cfadaababf5345a5ef7d15bdb860ef368a7c6a85e7d0d6679e6bba5b1676f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02szfjwg\02szfjwg.0.vb

Filesize
2KB

MD5
ef081f067188276981cdb5ec27a93402

SHA1
a409157a67cdf447130e893c587b9beb66502bda

SHA256
960a40806581774e162e5bcb464af7b5a817049102f53a6c26dbe4a25eecb90c

SHA512
f16c3166c7c0ab6d7675a1618f9771fb1881942d9fc127ec5c210bf435d2e6a1296d1c8023a9018465c37f040397fbf8c3725f4c57f7d8ec5b5dd3fe9c659ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\02szfjwg\02szfjwg.cmdline

Filesize
273B

MD5
2b70a8f6add826c05bd4161e4c443001

SHA1
85fbc7f0637fe94f67383a2c108b10cf98daca22

SHA256
fefec72220bc51a3e1fbacd4cf0a722c560fd690683c81c8fc7c9bf18308bed5

SHA512
39c832457567a1fb2358e58a6d5b9abab6969d510569c3d2b5235a2e669da7977d0df917c3adbd98c589ced300a911168c907d0b0b3c409a3e0786707a7bcfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
282ac9215e0580533243f12119041830

SHA1
eef83c957dae93d7f6e5fefccacbf6b2903a3b52

SHA256
b786e6a49518a39d115260582563c35163f61de23ddb518c549165dd0fafb261

SHA512
88f438d1e921fa44e2090d21f69143159bdeb9412d3e856f781c2ec3daa23b2fb9ad22e7c48a98f03911f01d761be5723a736cc9efbb044cc981e84b200bf8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1748.tmp

Filesize
1KB

MD5
82b7bf220bec86f540cede2e38bf0cca

SHA1
861ee9a0cb8b72e4f3b37038123af00863c1bb1b

SHA256
15b076143184c31657ced3fe2d9b2c66ddd2e9cda3af9ca8578e91c5a0221cd1

SHA512
7bd66c06dd587c99335ea3fbfdd360a476a207d1e8436a8de795d5354ed454d82f30d424a0ceb2166116034a7921df7e3fa79571cc04cd0427e0d50400c63560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1640.tmp.exe

Filesize
12KB

MD5
2eda8f0826bdeaded90c38e5357883b7

SHA1
0dbe5e47b1b9c09a789b483c67a2f4d4961cc90a

SHA256
b04cbe623024f7f0803333f1ddf9825c7889a63facd97ae8ed1c2db36ed0018b

SHA512
d348226c01bdd5b348edfe76e8bf901de3d5ac0f146857a68ba1736db7124444db12888cea0c6f5ca1db30b79a54efbb56a3b9bdaedfdb4cfaa313a5fcff6cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5D8203952DF4B1BA06A6973FAE496B.TMP

Filesize
1KB

MD5
c81c426d9cc909692b76e5aa032b068f

SHA1
b4894e0eb838818360d44f32b92745c4d35b3a97

SHA256
9fbeddedd9526afa8058375a2f6053e671e5fb599bf5e816f19016e33a837378

SHA512
5722cefe2744306e91023ca5623f75a07ee2d412341d31d8f236236d1bd350bfcc48dc7c757340ffe0aebed77113041ec718e8cf85027095190db3cf0b87de93

Download Submit
memory/2372-0-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2372-8-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-24-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-23-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing