5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8

General

Target

5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
Size

12KB
MD5

654bb6eb55d613bf3d91b448eaa473a4
SHA1

fffeaa09369ed614a787528d63e80b174fa955f8
SHA256

5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8
SHA512

95d9971db036ff91c6c2fa9be7be74aed5e8b77ecdeb2559ef7d72958ba54d70d1420a44f7b92f4bc828c0c691b45fb618aa9239ccc20846ae79b3a7a548e75b
SSDEEP

384:zL7li/2zHq2DcEQvdhcJKLTp/NK9xaZp:XbM/Q9cZp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	tmp1085.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	tmp1085.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2300	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	28
PID 2364 wrote to memory of 2300	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	28
PID 2364 wrote to memory of 2300	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	28
PID 2364 wrote to memory of 2300	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	28
PID 2300 wrote to memory of 2544	2300	vbc.exe	30
PID 2300 wrote to memory of 2544	2300	vbc.exe	30
PID 2300 wrote to memory of 2544	2300	vbc.exe	30
PID 2300 wrote to memory of 2544	2300	vbc.exe	30
PID 2364 wrote to memory of 2680	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	31
PID 2364 wrote to memory of 2680	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	31
PID 2364 wrote to memory of 2680	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	31
PID 2364 wrote to memory of 2680	2364	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	31

C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
"C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qtfothdb\qtfothdb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F293602BAFA4FD7A750D42B98D288CD.TMP"
    3⤵
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp1085.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1085.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e0cc496447774b55a05fa60566b7b6df

SHA1
b1d3377e552cab3c4e069085bf588b1f4d88d4cd

SHA256
4c9653e493f406ffae4abb65fe82b48d9d1407f3c6e02cb4a56dbe0535fae898

SHA512
8a0bf85e41d9920e30140b292570b91996d45142bbdf4e485dfaa1e6440c2e5eae50a8c48321c6f93142b9b2b6ca5e25f4797d28741d65568de672cc8c20294c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp

Filesize
1KB

MD5
29c99368d09000c8cab6ff0ed04a0349

SHA1
ebd87d339e20650b994b97c426ba2c9303beb729

SHA256
3ef50b1f98a3f04bc4bb733261096c6b9147ef1b8b4f541206790a9e1d3b710e

SHA512
e4fd67103675d8b5351754c4da252632703ef13985dba7f14be8c5015556c3ed859a049d7814bb822d342e80d7bb4d2bbc1d97589a2024277da60260e8ca9ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtfothdb\qtfothdb.0.vb

Filesize
2KB

MD5
a28f799115c2ca7780e40c5775a00594

SHA1
ee4853760bf3e51e67e21eaab3daa31bd1955de0

SHA256
39b377e84b9e99d33fe69191e039252c97919745ede8f7c777fd885a0f65ec01

SHA512
4fc469328b6958b2a2bdf50809d996e974e3724c10c03d32a80abdb843a2375d940325211878428b0384b83e3fbb1c77dff16f06c9f5cd97fc4910623cd12cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtfothdb\qtfothdb.cmdline

Filesize
273B

MD5
abfd884b165723527b854108a72a403e

SHA1
51ab0a53239d962a9bc8cbc065477ffb123daad3

SHA256
9a31606f500943e8a8a010aa1fbf3fd9d5cd16e936941001b1799ea80ebc72fd

SHA512
52130115e0439edba2d415f6a7c36191c9734cd2c00fabcde3e58aa3cc8d7c8fee93bca5f49a05a1bc5d89f0d7beb80e07ee6fff2fd4b5b3980fb014a2cf8e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1085.tmp.exe

Filesize
12KB

MD5
11a71f77897727d9d9e12761847ba710

SHA1
e8aee6c5203250a35c92bfff0b9a9a1864d6b0df

SHA256
cecab6cda551c3f4f1afeeadf8a4cfc983423ec573a6c6d4feb6f86069982020

SHA512
c49cf5921e4b877448d769b4e6d0a1034ac8d4231c5a3155260b20e1788cc59ad087158811fb3311ed0f3e256a0b5012b3c25f1644e5dee5fa5b9a33d95911c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F293602BAFA4FD7A750D42B98D288CD.TMP

Filesize
1KB

MD5
c69e2d9290d5ae2c25a8b7e3a2b92e5d

SHA1
947fd462f6c38dd52cc71b24d3c9cac90dfdc4be

SHA256
b79c577b06d516004768e6bd98cdbccd383d8c089dfeaba22406587166e3dd00

SHA512
eea3984379af66753c9bd7b1e133b8b355d97115e93bc296d67bb5280189d317b60ac930f183e007a87bee53ed8e9a013af3056d3e08316d238c2f6b85e096e9

Download Submit
memory/2364-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2364-7-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-23-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-24-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing