3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12

General

Target

3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe
Size

12KB
MD5

b0510443d664e0b905d0eb0d437c8b26
SHA1

47695ccc9af844332e64308ee00d07610a885153
SHA256

3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12
SHA512

e8eeacf9cb65da281db439daa1bc472d29e479573da3992fdf458495037f630779c3bef7c77867d7f6bdc9a89a2e09392b469292d8adca685c6ce3f4e5a4207a
SSDEEP

384:XL7li/2ztq2DcEQvdhcJKLTp/NK9xaUv:bNM/Q9cUv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	tmp1C96.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	tmp1C96.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1228	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	28
PID 2140 wrote to memory of 1228	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	28
PID 2140 wrote to memory of 1228	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	28
PID 2140 wrote to memory of 1228	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	28
PID 1228 wrote to memory of 2668	1228	vbc.exe	30
PID 1228 wrote to memory of 2668	1228	vbc.exe	30
PID 1228 wrote to memory of 2668	1228	vbc.exe	30
PID 1228 wrote to memory of 2668	1228	vbc.exe	30
PID 2140 wrote to memory of 2916	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	31
PID 2140 wrote to memory of 2916	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	31
PID 2140 wrote to memory of 2916	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	31
PID 2140 wrote to memory of 2916	2140	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	31

C:\Users\Admin\AppData\Local\Temp\3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe
"C:\Users\Admin\AppData\Local\Temp\3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cucjgmfa\cucjgmfa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31DAD9D1D27B493C8640A0F1D822C5F6.TMP"
    3⤵
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
81b5ad21ad2f65849d669e20a8cba674

SHA1
f484b060a53c9648affcbb335017622788ff4658

SHA256
bc41b57e722500c85cc77c45b61fddd2d8d85995142dce4c77b9db691a4d9010

SHA512
ad84da235fb4c175212007b2edf697bca50b684f3e50fb552ab0c7e3687fb8d3d13d6838a6e821e48f2fe26eb732282e8626eecd42e3aad6d2cd4d825e4912ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E4A.tmp

Filesize
1KB

MD5
e62b4c9bcd7ba64a1da2e733eb4d2de8

SHA1
3de8f1aa244a5bb5cebc1007de914a4ed300c662

SHA256
2b65918cf46ac5f460c1d02cf6280ac51edf2f2acc93a11918fc5d80f6fb4c9a

SHA512
9fd3d44ed2b128631cff68089eb0334bb91df0cf4bb2637104bc8f61d248080fb4fcc26b1de5a9816c0de78d8a995995e5a94dde58b25ebfea4c2c91d39999ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cucjgmfa\cucjgmfa.0.vb

Filesize
2KB

MD5
6252f0e4921e8db9b34eede2a158345d

SHA1
c6a6b8b82d5c1569bbbd2cc1fc075ac4fa013627

SHA256
e93d0e467b11d238458372b1c284e08c5f2864866732f9af1c341502b76b4847

SHA512
45aba360d97d15cadf9203bf59ee2da8614fef255efa9d721780c2dd5c7ad8f5c9d2ed3849d3c0cf51635b097cf91e32aaebb434ff5124c0c9549ac407a21b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cucjgmfa\cucjgmfa.cmdline

Filesize
273B

MD5
fbd709b07c1473b72cadf21838f7044d

SHA1
e4d265478844c0668a501e3ab1f3250578fa0915

SHA256
a18470b229d4de17ea046bef4130e14fbe0fb7817dabc064012f8cb31205b5ad

SHA512
1d8fa34ce409d8dcb971821ea875d1cdd965ae6a75aca9e2b90bbcf315cd38ef936b23a7ecde8eb0ef99679b76b682127e330f26f789050e6c19f4ec1eaea028

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe

Filesize
12KB

MD5
34531d69d4066aeed6f5903f522b6f9a

SHA1
e4c83cb92902f361d71f7da576b44c3e6ce34a9e

SHA256
11963f798272e6efbffa1fd340506b5b66ef9cefcea13a6798abba315e285371

SHA512
0ae7ea319e8a42d1af56861495a455202629e2a82271de8ef8dc6b7a322af901fbff54b46e0f44bdd0eb0d0629c75e563fd54a4b2a7fcabbfeda44b2b0ef4635

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc31DAD9D1D27B493C8640A0F1D822C5F6.TMP

Filesize
1KB

MD5
5bab6947c0a5d44162ca46938193b5ec

SHA1
af6bdd486a14cf45d72266378cbd28d0a2487ff1

SHA256
07c18bbf7c5683f88d6ad03f6f4fbe534614aef51ece97fa6f052eec09f87bfa

SHA512
db61a26f2e7fd15ca58ca2f67b9414742203ea0203b20dce7d5086d642e3177911da5c9c9fe15a4e89f86d5ac18ff2760e201415fb5c9bc0ace01fbb20b1d6f4

Download Submit
memory/2140-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/2140-7-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-23-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-24-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing