6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec

General

Target

6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe
Size

12KB
MD5

72108d3d739b47036826de38114cec36
SHA1

4398dea1908d4c261a93acc7e54b9fefb18b2bf8
SHA256

6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec
SHA512

63955858fb994217e5608dff612caccfacf87638039a650bcbf2a8ab5f7c0d4a95314ad7e8c23a44ce028603b45723be6234795b8d99cfe353cbda45346d4e12
SSDEEP

384:xL7li/2z4q2DcEQvdQcJKLTp/NK9xaS9:xUMCQ9cS9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	tmp1BFA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	tmp1BFA.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2388	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	28
PID 3024 wrote to memory of 2388	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	28
PID 3024 wrote to memory of 2388	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	28
PID 3024 wrote to memory of 2388	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	28
PID 2388 wrote to memory of 2172	2388	vbc.exe	30
PID 2388 wrote to memory of 2172	2388	vbc.exe	30
PID 2388 wrote to memory of 2172	2388	vbc.exe	30
PID 2388 wrote to memory of 2172	2388	vbc.exe	30
PID 3024 wrote to memory of 2736	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	31
PID 3024 wrote to memory of 2736	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	31
PID 3024 wrote to memory of 2736	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	31
PID 3024 wrote to memory of 2736	3024	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	31

C:\Users\Admin\AppData\Local\Temp\6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe
"C:\Users\Admin\AppData\Local\Temp\6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dsuakkqr\dsuakkqr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BEABC01FCEA4A109E5330BEAC41371C.TMP"
    3⤵
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4b215f4feba3705e9405697ca014baef

SHA1
8f0cc10ae1d95eab867a75d2b56d9b30d0137d8f

SHA256
26833e90459c4580b15d84df1224b34d779abcde045f1fd6c14382879111070e

SHA512
bf5928475db9cf3f16c93c6891e01d7074a170ef7e48cf0603f5fba93598d6f65869e8173ca275a70fd5a2ce2505a49b8eb5bdab962619605c1505dcd6d32a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D9E.tmp

Filesize
1KB

MD5
a6a7072dd88f72af1cdb61dd76858fe9

SHA1
8e6eb5ee2d4caf6d0e44b0ecdfc423383e9beb0c

SHA256
0f43ae6a883f75b5f673d56c1229ed774fc9c63d760d3716b10731938d61ab38

SHA512
3c42f4099a93de3080d4a8791b789976bbfb25018fe7008de0d86582b477f21518920ddb3be8a433d853b603db1268fbbec46188a97d145ce4d3bac8ec7c4306

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsuakkqr\dsuakkqr.0.vb

Filesize
2KB

MD5
06db6c094be9241427eaa19ae1767077

SHA1
ffa7d6765d7df2bc06b695789ad16b86ec159be0

SHA256
26c60bffcfa069721089f41a08be0ed869e544e68ce3fac625139128023cadc9

SHA512
80798aaeb55af2991918e500316869de1b9a63f9a8b052b68ddad54df292176f528a12c081e9ebd45644b4dda1138264d83104bf3a92f1fb532ffea5ab14953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsuakkqr\dsuakkqr.cmdline

Filesize
273B

MD5
7b95a1f9126f7a6b88b2e40509b4fe8a

SHA1
f0156b25b39d4c078b75ffff86db62b31923eb9c

SHA256
ec55247a7aa7596f07a0a26a3af19d42fa67a2ae6383786bf9855083cf94f27a

SHA512
9c7afcf018f5bf44f311b8dddc297895c3f88534341cf8a5b2f3706c3945e13942a80bb1cc0b90abcda7d074ec076e1fb293b732530e9a33cc8f43c84f37ba97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe

Filesize
12KB

MD5
edd12da7a05fcf29ec8f45db97796335

SHA1
1faf6b0265c7964183717c9d373a11337c387ca2

SHA256
9f93c40d711b488441a171f61c3a1a30b84ec8880c337cf7271bb8fbb089f2eb

SHA512
12d1dfa8f877dfc17abd924e7d20503a41432dfc4685fdc373db57ebabab669d51682100bae59c6e9a437768448f330420f7e8f58c1addaa0be64af95300786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5BEABC01FCEA4A109E5330BEAC41371C.TMP

Filesize
1KB

MD5
af916125d041d83587c8d3bc46a14303

SHA1
e74e6691c4f37412e2915c4be69b3992b58c6adb

SHA256
23aa73d741a46517f36350ec08b00935652293afdb80b26b6d7e34314a4d3709

SHA512
9afa5ce35cc6097622a40f2237183a745ab8a863562926a74ec41043b99fdd944c4aa1875ce5a59362f02e310e73ae62792933b7f9a5dc261f85f8526294e39f

Download Submit
memory/2736-23-0x00000000010F0000-0x00000000010FA000-memory.dmp

Filesize
40KB

Download
memory/3024-0-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000001130000-0x000000000113A000-memory.dmp

Filesize
40KB

Download
memory/3024-7-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/3024-24-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing