b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c

General

Target

b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe
Size

12KB
MD5

67e81f88bb14393c53ed7b9054c35ba7
SHA1

a21010018af879adb5af4069d2b2e664fd9c670d
SHA256

b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c
SHA512

462a8796cdeb967f9bfd4eb92a637b266708df6654f969197f2332477a2f6d59ed44644c3f1a2217ec3016220e161b13e8e3def6051acc849c10fac1af3f4020
SSDEEP

384:BL7li/2z2q2DcEQvdQcJKLTp/NK9xabr:hmMCQ9cbr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	tmp1527.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	tmp1527.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2992	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	28
PID 2964 wrote to memory of 2992	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	28
PID 2964 wrote to memory of 2992	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	28
PID 2964 wrote to memory of 2992	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	28
PID 2992 wrote to memory of 2536	2992	vbc.exe	30
PID 2992 wrote to memory of 2536	2992	vbc.exe	30
PID 2992 wrote to memory of 2536	2992	vbc.exe	30
PID 2992 wrote to memory of 2536	2992	vbc.exe	30
PID 2964 wrote to memory of 2732	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	31
PID 2964 wrote to memory of 2732	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	31
PID 2964 wrote to memory of 2732	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	31
PID 2964 wrote to memory of 2732	2964	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	31

C:\Users\Admin\AppData\Local\Temp\b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe
"C:\Users\Admin\AppData\Local\Temp\b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1lbcxis2\1lbcxis2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1620.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD676494484B2419EBC3F83315B379B83.TMP"
    3⤵
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1lbcxis2\1lbcxis2.0.vb

Filesize
2KB

MD5
46f9325cb5ba380e93e7e6913e66f009

SHA1
5f545bcf5d018e7800b573360196d4f4997cb5a2

SHA256
7cc0bab34a2c42994890d045e6d70ccff14d7be62f3ec1c4c525354d8e1ef8e4

SHA512
121bc2e15f57d32c918f64eef6488948a59d4b0832408732452475c0f278ef6bbabb3d77604e91d8a881be32eb45761d87cbfa59be54ae4278ed8db3cbbab647

Download Submit
C:\Users\Admin\AppData\Local\Temp\1lbcxis2\1lbcxis2.cmdline

Filesize
273B

MD5
db977766e991a8a8c2eeb561a6c06ad6

SHA1
a4e2abb02aa822fbaf89de6e98e488cd8c322946

SHA256
2d5b41e1ef65533480b2a76e0f3999387f8073cfec7b1265cb223e5da85f066d

SHA512
6052593e0e9b2c202f69d5f208c5baeb5789471445a3ba2b793b3ed43dacf7ebe4c7f90bf5155beae73704b9df2ad5750cd0f97bc2ea349b8208a62af92dc979

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
30b13141ae626ecf4bfb255e49fa3505

SHA1
e697466f2974e9be76121e346ae60308ddb04d41

SHA256
335ff946435735b8ec09f864a886da860566c06c614532037d8f406367bf3bc6

SHA512
ed0c766b63ea1b519a96b5de461bcf8f32e792fb82a344a22061f3c94bff4cfc87883000a2296b4b9750b887f69f53a00d2236f6b1e25784ecfbd0301b24ddd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1620.tmp

Filesize
1KB

MD5
e9ca6c53fedc653007e98c06b5dabef5

SHA1
a777404aeedb6c52296ed342a270fd1391c53d95

SHA256
b1369eec4dcd6160f23c2abddbc70cf199f9ca33b7a912c60b8ab0e15a7b2aa1

SHA512
27d36e6e1d1d0ed453022e090e68fab7a28ad5e14aa4e1335170d7d3975d36bf9ece76dd82dcd2704e047d550f84109990ae2796a5a7725895616717bfc8086d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe

Filesize
12KB

MD5
2298c73d2c88af66087454b9fa47891a

SHA1
3d85de069ed8f9ec3e80e06c9c671418b54cc1fa

SHA256
ef57dbb78d7a30eef573d4c5f99123a3cf7ccf2279be5bf64f3bd71af4edc9f5

SHA512
4d0c0c560b2aa05c0f446bf5fb2dd88d8b1b96af5aa7bd6ca40923393d8374e1af2d065e65c896bd72b05096f90607254061f1f9d6710224515fa79cb0b7cbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD676494484B2419EBC3F83315B379B83.TMP

Filesize
1KB

MD5
d4da3afa8271d77128b2994d959f04ac

SHA1
0543eb1aaf430803d9a018887975ba9ca7fd96af

SHA256
bd96961e38887ca41a436f13b320c3b3171c9040d3fc8978764934a660ca6608

SHA512
99f3bcde8c5a5864037435505b4515f28f3bbe42b91d7fc4900fb3a223e398fbc8117ba2104a85c51c5bbbdf27473c91fcd8afd29480b6e931ec90607f02435e

Download Submit
memory/2732-23-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2964-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/2964-1-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2964-7-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-24-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing