78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f

General

Target

78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
Size

12KB
MD5

113d39619618d12156042dbdf1e85198
SHA1

8a52ee431a00fc6a0553335620b91c7722e3110c
SHA256

78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f
SHA512

41c136aeafc19706d7e9a4c72a1d1baec69d080b4f65eee61bd340e8120a253afdcef4248944eca350aef14474a22341226b1d0287b761de979d5c68f56de01e
SSDEEP

384:GL7li/2zKq2DcEQvdhcJKLTp/NK9xao1:gSM/Q9co1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	tmp658.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	tmp658.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2904	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	28
PID 2352 wrote to memory of 2904	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	28
PID 2352 wrote to memory of 2904	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	28
PID 2352 wrote to memory of 2904	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	28
PID 2904 wrote to memory of 2984	2904	vbc.exe	30
PID 2904 wrote to memory of 2984	2904	vbc.exe	30
PID 2904 wrote to memory of 2984	2904	vbc.exe	30
PID 2904 wrote to memory of 2984	2904	vbc.exe	30
PID 2352 wrote to memory of 2596	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	31
PID 2352 wrote to memory of 2596	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	31
PID 2352 wrote to memory of 2596	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	31
PID 2352 wrote to memory of 2596	2352	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	31

C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
"C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\300gl1oo\300gl1oo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES751.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc475CAF372704ED0B7DB4F3EA1786DEC.TMP"
    3⤵
    PID:2984
- C:\Users\Admin\AppData\Local\Temp\tmp658.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp658.tmp.exe" C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\300gl1oo\300gl1oo.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\300gl1oo\300gl1oo.cmdline

Filesize
272B

MD5
be21c9d059602d7d755612c4b19623dc

SHA1
c52d1dafd88982a33867281d83304ed2df7fcb7b

SHA256
0f514b3a96f53d2a7817d3a09364bcdb2e4af955f883041a460afe961cc7827f

SHA512
0330aeaec9a00d1402612ff229e9e9d42c9cee36970830b842e4acb3ae7b8dcc094965a73e072127dc9623fcc76b26e74fd8eeaa9415edd9f4787be6a1dfbe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES751.tmp

Filesize
1KB

MD5
fd4da11f3ba08475fe4748361e934f76

SHA1
c98d018874e8f676103f826b2a41ed097b19c489

SHA256
c66bab837fd382fc1a9de942a3385f87b7dea75b3cdee04f42f439451c659231

SHA512
f58441be76947ecc9c1251988c218ebe5a16c0f9c17f3012fd6bfba90982603ba63b470339cda39281402f6793341767c1d7098732f644c21be9b7fcefc0cd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp658.tmp.exe

Filesize
12KB

MD5
8e247be36f7789712741269403cc4ef3

SHA1
0d1b790efb889a3b694faa283782467f195953db

SHA256
dd3fd133f2a57d0b6e73c88df5fe62134e82da8afdb5bfffa5ea12689c8b171f

SHA512
d8f1769f062d4e816ec0e3f3844a1b4940a166ee52814a80b2a5c0c7c13ad865b8d7a517baeabe4cec2c1090c2cd0e3bda93e0e1b9199594ca41d484310a9f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc475CAF372704ED0B7DB4F3EA1786DEC.TMP

Filesize
1KB

MD5
c26ea6f05b6db76c16595986746cb4cf

SHA1
9b452f724d5624f6a121a092f329786ccc01e6c9

SHA256
430c75e8abe770cf5f2b510de300de5eb5b31ccb5f3b9e8412f0955eab9d35fa

SHA512
ef753440d43ff9ceb6bbb92407fc26937f0e62d63c3f138c2ce1edbdd9d24fb5fdd98274b551920dc63efbd4d100c2738d59a5483c18e24a13d47627da03e664

Download Submit
memory/2352-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

Filesize
4KB

Download
memory/2352-1-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2352-7-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-24-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-23-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing