406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c

General

Target

406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
Size

12KB
MD5

aa580da9da1f259dec6d73c7207ea2d3
SHA1

a1bc7cb3e92ff308f1bd5d300d60dcdc98f30a25
SHA256

406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c
SHA512

7d1790d250666c952000c0da37e4971e8d2ece91d8f79786f30dafe7214631a2c7a9587386139e5b0cdc84fcf44ea9ba3797f81d71696c290527f4842b924fbf
SSDEEP

384:9L7li/2zsTq2DcEQvdhcJKLTp/NK9xa1R:twM/Q9c1R

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2408	tmp2C7E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	tmp2C7E.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2944	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	28
PID 3028 wrote to memory of 2944	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	28
PID 3028 wrote to memory of 2944	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	28
PID 3028 wrote to memory of 2944	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	28
PID 2944 wrote to memory of 2636	2944	vbc.exe	30
PID 2944 wrote to memory of 2636	2944	vbc.exe	30
PID 2944 wrote to memory of 2636	2944	vbc.exe	30
PID 2944 wrote to memory of 2636	2944	vbc.exe	30
PID 3028 wrote to memory of 2408	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	31
PID 3028 wrote to memory of 2408	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	31
PID 3028 wrote to memory of 2408	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	31
PID 3028 wrote to memory of 2408	3028	406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe	31

C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
"C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93957A53C0C9420FB650A5D87D14B70.TMP"
    3⤵
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ae366dc840608dc87ce5276129a7a937

SHA1
fcbe5eab7c7bf3aa203902697ad45b7d20671c9d

SHA256
44267fe97b4ad2190018f8cff90d21eedabf9eb8a2d1101f56c5d60781e02877

SHA512
20d6d0beec03ff85d4fad8704ee27fa1f880c853edfc75c99a126bda6c0cde6e5cbb4c3bfa850c4194fbb0946be04617f5694547e4ea9a883649b00a5940b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp

Filesize
1KB

MD5
cd227471e1d2fa9dde3b295de3fda24c

SHA1
6cf7c801bfac1456f45b2bae27f227f56418061c

SHA256
9da50796d1fef8e8e7a296c9d6b3342253a551494136ec3cc2edc639f6f5d935

SHA512
9fd8521154415a849fe29179ea56e42a3cadf939315fd0e4553445769671f507df6016beef25282d298b87c4d04bbd61831139c1f7e50cd37ad22568e05707f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.0.vb

Filesize
2KB

MD5
f687b4a2c6ff909be059bcb5c8479aaa

SHA1
94e2e52abd23b975d9aac8aa08e5ee2ddf455543

SHA256
041cdf972e05bf4d0c382ddd9e1ecbf2ef16089a1799459d10547e738e73af98

SHA512
0267e421c0e91cf1d27c30c4039a13906295fd4f335a4984eba1fd892e384819e74511c0adbcc30382ef1d11c162ae5fd867b9b6e3f7c2dea549c2c2459e882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.cmdline

Filesize
273B

MD5
692667aa5cc30bc8648699ec1c3644c4

SHA1
adfab60aa5ffdf1fc40f83cba2f23a7a179369e8

SHA256
af440c7ccc8c216a778b9d5803b7b874c86bbc107b303f2bfcb14c406d7f7c46

SHA512
0e3d692823dd557db16a8471582ece00ed2955183e1862256828e7c0a163e0fd022d05432924af76c06bf8aaf2e807bb30a6bf5fa6df55e40ec0f7f2a96f43bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe

Filesize
12KB

MD5
f06c842349a5ac821c2c977b2c4f6c96

SHA1
2dae3c9358c869606433417288713de049f119c8

SHA256
b82b756e942880a608243872b1d7a76941f2ec8e9709ef161a6d72a586bd282e

SHA512
7ccb419151d0547bea124022c625c5adda469dd01b28044147f193c7d0283fa14029e3f4a94190a4a2225da28d68a7dc2a6767b0518d04e26e54883006d3e8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc93957A53C0C9420FB650A5D87D14B70.TMP

Filesize
1KB

MD5
92ce27c88f0f824b836fc9d08e2a1d0b

SHA1
2d3039de3095115b303f64889712d0a0884efb5d

SHA256
b79ab0f2f030d79ded08f2b02e8ecdec97d0dcebbcf69007f4dbdfc995050fcd

SHA512
efc0cc201646eafb7727e0abf6758a1bee9f041ad8f2ec905f5a2caa9bfe9f7a8b0251480a67284df4bbf48037b37c9139fa35549f60b1eb15cfbc67626680f7

Download Submit
memory/2408-23-0x00000000010C0000-0x00000000010CA000-memory.dmp

Filesize
40KB

Download
memory/3028-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x00000000012A0000-0x00000000012AA000-memory.dmp

Filesize
40KB

Download
memory/3028-7-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-24-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing