188a88519c66ccf34bb1788bf1b249fcc3650046488a801dbe28f7dce722cfd7

General

Target

5da664cdb48a4fffccdbf453ef2e2970.exe
Size

12KB
MD5

5da664cdb48a4fffccdbf453ef2e2970
SHA1

5d0a90e78bfaa3634c3e5ceffbab5f9b31077538
SHA256

188a88519c66ccf34bb1788bf1b249fcc3650046488a801dbe28f7dce722cfd7
SHA512

bb7fb81090fc6ee1aeba577801b06caa1b82eda9ac16d23f674929bd590ce07b754bc3ef822f3ce125490f0bb54628fea4469e4b7e9133270f4a6d1ef6f79a9b
SSDEEP

384:pL7li/2zWq2DcEQvdQcJKLTp/NK9xaAE:ZeMCQ9cAE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	tmp2647.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	tmp2647.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1132	5da664cdb48a4fffccdbf453ef2e2970.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	5da664cdb48a4fffccdbf453ef2e2970.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1432	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	28
PID 1132 wrote to memory of 1432	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	28
PID 1132 wrote to memory of 1432	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	28
PID 1132 wrote to memory of 1432	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	28
PID 1432 wrote to memory of 1280	1432	vbc.exe	30
PID 1432 wrote to memory of 1280	1432	vbc.exe	30
PID 1432 wrote to memory of 1280	1432	vbc.exe	30
PID 1432 wrote to memory of 1280	1432	vbc.exe	30
PID 1132 wrote to memory of 2700	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	31
PID 1132 wrote to memory of 2700	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	31
PID 1132 wrote to memory of 2700	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	31
PID 1132 wrote to memory of 2700	1132	5da664cdb48a4fffccdbf453ef2e2970.exe	31

C:\Users\Admin\AppData\Local\Temp\5da664cdb48a4fffccdbf453ef2e2970.exe
"C:\Users\Admin\AppData\Local\Temp\5da664cdb48a4fffccdbf453ef2e2970.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdtkkkfj\mdtkkkfj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES279D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78B02EBB3D93499BB62533824F77D4FF.TMP"
    3⤵
    PID:1280
- C:\Users\Admin\AppData\Local\Temp\tmp2647.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2647.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5da664cdb48a4fffccdbf453ef2e2970.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1b6736e61cd284bd9ed369317ddf2816

SHA1
c5d90259f796ef5f5273d8bc2e33e56b75718a44

SHA256
c1c4d1cad7150ae8e4cc8673387428e5ea02656e1ac169225d717be1d17e9eca

SHA512
b4a6b37e4e8bd630bc93bd77b5b8c9c43e76d41e4aa61d61062e34fc7bf60ca38e86ec55d7d8777df958da28d52040fa5be656323ebb412837863506d8e72e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES279D.tmp

Filesize
1KB

MD5
424cee6f8c8c2ac2348771cdccf8fbb0

SHA1
cf8cf93c33c284182478da8139c25251cc858775

SHA256
de7e87b69b12560d25876c39f726987556624b3a07d2848d1a4796f5f72b4618

SHA512
0c38a65aaad03a796cde3bec32016e6c38845b4492af9478a57c701756f5f926ad12c76d95e4a7a695ef96f92abde52c3d1c501dad273abe90de3d47ef37921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdtkkkfj\mdtkkkfj.0.vb

Filesize
2KB

MD5
f821b7ca619fee37cbc116055abcebcb

SHA1
8448e4196effb57a6fa810bcb419c6583fd0b104

SHA256
f10a7e38e43e6e8b572428e42208ddb552489ac1bdcac1c74ed22ffa406b142b

SHA512
1ff90c3d515031b6670e2d00373065fbd086bf040358b6a633846ff2cac28670c5d17a2cc6fab3fe39d1e85ef82b3d6c48903964841fa32f5db3e19aeffa40a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdtkkkfj\mdtkkkfj.cmdline

Filesize
273B

MD5
15ba988aae68674e9670809b54197960

SHA1
897cf962a0a5c8551e05472d5a899e1c55306fb9

SHA256
6830eebf3183d6faeea2e177f972b41ed69538925e1c0b4ba913830a33516f20

SHA512
bae4eae4de6f01b4e5480efb0076984370ec6a6d379d76de876d43ecc114f81249368277b956a5d73e623b5d6b973d967cbda1da8d488d70a9d9f56860ee7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2647.tmp.exe

Filesize
12KB

MD5
d394c8354f58f0f1ce1502de127af88c

SHA1
5cbed208c2f2fa3ef146059f586aebf327157338

SHA256
77c94b45749aa0e79811d775944b48bcaaf78ae2669cc36d49fee08696843436

SHA512
5940fd1676a6cb4fec06a87f7626e41034db5d9bb8764407568f60ae9064a82b0f8e2ecf6ed75bfccd526901b056d47130227c82c47381d61acfc6a3a6b18a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc78B02EBB3D93499BB62533824F77D4FF.TMP

Filesize
1KB

MD5
9620977f9ce2c7f8f9a1550739387cd4

SHA1
e92d127563c3ea0b13da4fbe030b76d9970770ba

SHA256
e4f2d9170eac1b52602ecf2aa76fafd58147747f34fae5eb3aebb0e1aaf050d9

SHA512
3a3b6ad6218b223b178ef56249486b1373f72812a799588bc58d019cab705c1bc07fe9d1b4efc170564004741cbe14e61e155d6a3abcb0121971df82c68a8bb0

Download Submit
memory/1132-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/1132-1-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/1132-7-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/1132-23-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-24-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing