f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24

General

Target

f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe
Size

12KB
MD5

4f8e8ef8e4ad6d438c31fe807b372a0f
SHA1

6b7736ad89b50290777efe7bd6c0d55128c2f3c9
SHA256

f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24
SHA512

6b88ded9c0d57b06350d9a1326b45f4523190274ac0be8e00deaba82084bca5e38f1099f1e008ed88b5def46fefe5aaaf2f78b6c6ed37662b4bf9b4386779a1a
SSDEEP

384:6L7li/2ztq2DcEQvdhcJKLTp/NK9xa3V:ktM/Q9c3V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	tmp2C4F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	tmp2C4F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2752	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	28
PID 2972 wrote to memory of 2752	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	28
PID 2972 wrote to memory of 2752	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	28
PID 2972 wrote to memory of 2752	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	28
PID 2752 wrote to memory of 2684	2752	vbc.exe	30
PID 2752 wrote to memory of 2684	2752	vbc.exe	30
PID 2752 wrote to memory of 2684	2752	vbc.exe	30
PID 2752 wrote to memory of 2684	2752	vbc.exe	30
PID 2972 wrote to memory of 2268	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	31
PID 2972 wrote to memory of 2268	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	31
PID 2972 wrote to memory of 2268	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	31
PID 2972 wrote to memory of 2268	2972	f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe	31

C:\Users\Admin\AppData\Local\Temp\f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe
"C:\Users\Admin\AppData\Local\Temp\f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xiomhetw\xiomhetw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4F9A89CC54C4165B8D39C7713DD17B4.TMP"
    3⤵
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f5d5837f764fb21efb77c5182d0ab74c0ba8f9b1993e4c7ee29aec39a91a9c24.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b9ca5ce5be2d510033c1a94138aefb76

SHA1
23eb81cdb66e954eb42d2525c9955ee5feb6c6d4

SHA256
f08a2b8c3cb5df4b0b2008fb9a3a67841a600f6a5d0167587d6b6bed11cdb5e8

SHA512
7bbc39314737b40b763db66b6b69922d8233602c5069681df36db289b35f7814fd4dc757539520572d939a61b26331ad9e72bab9360162dd26942a19538e99bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E51.tmp

Filesize
1KB

MD5
e0fbd6c873656335f50f5699ff58acb4

SHA1
c9a9254e181721289632864cf2a69ae3c666eba8

SHA256
d0d9f46439dd68fd4cc935cde2a360dfcc91b3f57d745e535cdd1bd654e4ce68

SHA512
21d28e19e18daacd0566563409e83be77f97626c1ed920386c905c2e98cf0e08601cd67124da413a2caa5d89797e8be32ea43bede33f2f70fb51e5bf9062894d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmp.exe

Filesize
12KB

MD5
0e1ce06920eec22045b4de174d46e5ed

SHA1
52c672270edd5c962ed7f06caeba250c7af4b10c

SHA256
57f00f31215461269c15af712878a5e8f576e057e20c7f069fc149d7010b8d18

SHA512
b627d42801fa62f92a0c76bdec64c0587cab0c9d591d10804b20bb75e97927132e2f5ecf04492fde999ffd289d095784ba703b5b81dacf1e0476cc6b05d6390c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC4F9A89CC54C4165B8D39C7713DD17B4.TMP

Filesize
1KB

MD5
4b06bf2e05cc7fbc2cdd47aa2f1736f2

SHA1
e9d1d9d63f182535efb4700b4143d1b026edf71e

SHA256
238c36c72a22ee5e3775a4aab51e638a7d7661f837b68826a0126651abc9604a

SHA512
78073a54bae7d44e764213877dab9b13b96da94dc8d3ab69d872d139e0c8f386cbe80f1982752565e92db80936f4854bcc29e3fd15c38f8274a113429749dd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiomhetw\xiomhetw.0.vb

Filesize
2KB

MD5
1fb152707f7b4cada2b46279904567b2

SHA1
7534f97594cb64948f80f40c82db9139c95c45dc

SHA256
44443251502000fea31e9588405e8231f031d2e11b3bdd353f853c48a235bdb3

SHA512
07242a8cc60239a229383bdf900ac23fae79b20ff3ac0bc63030a4f7eb58a438fa1a51b8d1cb537f2ecc5dd777e7eaacfca2c458933d44cae74330c1b2826111

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiomhetw\xiomhetw.cmdline

Filesize
273B

MD5
1fed010c9ed1c4018cd622ffc9853c64

SHA1
6652fc3bcde981667ac6b65bb016cb56c6d2717e

SHA256
69b312e46dfacc5dfb55be77f88084ab7155cb59d05ab6eb245152566b1e71d1

SHA512
1cfcf5e397454fcce444e741a4808b7a55f5f0a143e2741ada9bfe065bb706ea7565b62d2fa4bf3bc5a1ece3aeb02ce6cbceecfcda9450caf1617d16bdf86032

Download Submit
memory/2268-24-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2972-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2972-7-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-23-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing