fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5

General

Target

fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe
Size

12KB
MD5

b0338799a88d338eefaa7776183c53ee
SHA1

b0c4ed08e0f8feaabc51df4bfe0c17d7e88f7f1c
SHA256

fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5
SHA512

7d7834acc291b399e47d8cb72ede706a902f7c8d637d51d34658ecccb13da5916a56a6137862421102bc851836aa37ce3803a3e7d8b4547343198d547f8755d5
SSDEEP

384:JL7li/2zPq2DcEQvdhcJKLTp/NK9xamN:5LM/Q9cmN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2524	tmp13FF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	tmp13FF.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2192	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	28
PID 2196 wrote to memory of 2192	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	28
PID 2196 wrote to memory of 2192	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	28
PID 2196 wrote to memory of 2192	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	28
PID 2192 wrote to memory of 1868	2192	vbc.exe	30
PID 2192 wrote to memory of 1868	2192	vbc.exe	30
PID 2192 wrote to memory of 1868	2192	vbc.exe	30
PID 2192 wrote to memory of 1868	2192	vbc.exe	30
PID 2196 wrote to memory of 2524	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	31
PID 2196 wrote to memory of 2524	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	31
PID 2196 wrote to memory of 2524	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	31
PID 2196 wrote to memory of 2524	2196	fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe	31

C:\Users\Admin\AppData\Local\Temp\fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe
"C:\Users\Admin\AppData\Local\Temp\fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ubbr2vro\ubbr2vro.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1545.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD8ACA64EFC04C91BC2386DB2D529938.TMP"
    3⤵
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\tmp13FF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp13FF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fb8260032b0906752fc0525422e383fcf01016dfc6c2c423d8745fc50e388ff5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8d1ab3e56eaeab9f7dcfd3e1dad5d8b8

SHA1
550a892ce11fb89be2f1a71dddab924539d06d6e

SHA256
f7ec92b3ef6bf79b54b7f8e53562f995c4854912e6151d1505f420af0c477ae4

SHA512
f6376d6aa4b5a625f846162912014e194bfcf49ca02bd58a8789b956c126fabccb3ed5488c75b2c05eb80ce793f790f4e7caf9bca6f77fccf59c6e806dc8a166

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1545.tmp

Filesize
1KB

MD5
da0ad656dc0e3db4a28a654984448fc5

SHA1
da77f06c71343fe44d1dc8bcdd6335114cc4f801

SHA256
d2fef4857267df6db9ab85ba906fcebf10479fb1cfae06510a133c8c11dce098

SHA512
8f8a5afefa3109b2bc50d6492c23c64b40b4d52740e4952142c69cf7597145bbd7b48a3458daf1ff8b52008a4b8604dc1e321ed4d025fa176392940ed295a3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13FF.tmp.exe

Filesize
12KB

MD5
0d7f6ce51c106555ec4f12e259aaba57

SHA1
d10f4da6672f8c4f58626f5462c3ee41cf2e2a53

SHA256
a732bdb7d43a733bbc19ac74b8b3ac7107fab75a57b0cc35a0fbd4541b55cd98

SHA512
c9c6dfc33660d2a81472e7fd3345900557b7e835cbf1e36fb76797c8bf60b1504ee62bdd12c793c7caf3279b5f3437d62be2325a0cb1207b8f2d0589401baa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubbr2vro\ubbr2vro.0.vb

Filesize
2KB

MD5
42c85cb82c2f5dd188a0bf2d9af10377

SHA1
ffd30dd49ab38e9b361af925032605e16dd0ef28

SHA256
f89442ad2ddabe4763c491f3b6de0255495da019696a0877762c34667b50fd70

SHA512
216b9b9376c44617374a0ab8150bbf98d2770060c6f9177968dcf79ac09933797b0c116cf196f18baf3bff4623e4e53f40dcf53e0e9a7d12eafd256632e14971

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubbr2vro\ubbr2vro.cmdline

Filesize
273B

MD5
313bf56353ed296fe44a933e0dda50f3

SHA1
fdee734d17a5d4a71902f9d5904ef1c4ecdf8b3e

SHA256
7496c6d80c51f5734e58be85c7a90d8cba318512487f3afa49323b235f3fe644

SHA512
979e8ba2173dcf3130bfc60cf896002750f207addcf08faebee7a53d6357d3ecd25f1d2481b31a4aae2c89892c094652e29fbf079ef3dbd36d52482f106fa9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDD8ACA64EFC04C91BC2386DB2D529938.TMP

Filesize
1KB

MD5
23076dfbb55c010f2a6f161a559d81b9

SHA1
2d1a24d9500a448a02be8f42743598f437b59501

SHA256
01fea6d5b1a4ef00babeaaf2b0f39c84bc45ec0c178d40327f84764a609e063b

SHA512
39e6fef2d8d55709127dea56b9ccc187a0879f709669207e1014df72f92695f78dd63fcc8b02aa2cd44865def8ab213b7035e5ed50e7cb5908892f28b088972b

Download Submit
memory/2196-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000001310000-0x000000000131A000-memory.dmp

Filesize
40KB

Download
memory/2196-7-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2196-24-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2524-23-0x0000000001150000-0x000000000115A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing