ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9

General

Target

ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe
Size

12KB
MD5

58eec028c16c94111b4c77885a41a12c
SHA1

a1824748cc91053a835e6b2187c4c0f386eae583
SHA256

ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9
SHA512

dc1e60c9e48fd020732a911787cd5352381a85f91f53b329c12206f2bf8b1a04fbef3a25341c62e211feac6546bac41e32cdd5313d7cd05b6bed727408c99a6a
SSDEEP

384:oL7li/2zRq2DcEQvdQcJKLTp/NK9xajL:WxMCQ9cjL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	tmp1881.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	tmp1881.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2520	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	28
PID 1876 wrote to memory of 2520	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	28
PID 1876 wrote to memory of 2520	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	28
PID 1876 wrote to memory of 2520	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	28
PID 2520 wrote to memory of 2772	2520	vbc.exe	30
PID 2520 wrote to memory of 2772	2520	vbc.exe	30
PID 2520 wrote to memory of 2772	2520	vbc.exe	30
PID 2520 wrote to memory of 2772	2520	vbc.exe	30
PID 1876 wrote to memory of 2692	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	31
PID 1876 wrote to memory of 2692	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	31
PID 1876 wrote to memory of 2692	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	31
PID 1876 wrote to memory of 2692	1876	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	31

C:\Users\Admin\AppData\Local\Temp\ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe
"C:\Users\Admin\AppData\Local\Temp\ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alqchmrb\alqchmrb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1989.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AFEB37F2D2E449FA85EB940EC58CB9A.TMP"
    3⤵
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0da6623e576193254e58434a9edd0c6e

SHA1
b5dbdde35bb55f3eaaa16b23f9674e8119772212

SHA256
ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3

SHA512
7cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1989.tmp

Filesize
1KB

MD5
66ff6475277b17276004efb56f3b8b16

SHA1
d4f9564832f61e3c7fc3e75356af06ec22c7e3fa

SHA256
52cc81192d48d60aef4d73f097f549490f5113fab9d21c8f82ab1540828280e5

SHA512
5f591f1cfecfc1c0ab9575e68ec39449966f79ced8ce9825c332609c66471da77b3a8adb8f41a54de656787fbf741de3609897b0c4458f61dcf22b10d826c792

Download Submit
C:\Users\Admin\AppData\Local\Temp\alqchmrb\alqchmrb.0.vb

Filesize
2KB

MD5
feea7bf0777d825ff6f463417ffe3118

SHA1
13b416c2bcaf75f47a53bdd01ef2b5bed716536c

SHA256
349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e

SHA512
420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\alqchmrb\alqchmrb.cmdline

Filesize
273B

MD5
7ea4be18ff186639e5304395e046fedf

SHA1
75087f6a7fa090002467efa78a855e3996f3c11f

SHA256
d914af6a620031dea656f5260297a44a89545712f9ecae423372fa402ff5db88

SHA512
92158be7880fef431e9464a650a4d22361cca8abe7143fb76979b3c533d00a1552662354c6060fee97bb4658b7f1f2b94559979c25f3a5cd243ce0887e677f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1881.tmp.exe

Filesize
12KB

MD5
548ae8d7e6a45d911e67c6968ecda642

SHA1
cd819a3485eb593782623a62e56c63ed8ae7a1e3

SHA256
788bd148b3a2b06225bb632b076a8080ebc44dcb072f0e63f9cbe71308c9c20e

SHA512
398220be423ec3650c5220acb8ea6076ac77b6aa86d4636d56851403bee68b34271aa16d883cf5e2172c0374ab2446005ba78cfb00f3c42440d2431beea26e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4AFEB37F2D2E449FA85EB940EC58CB9A.TMP

Filesize
1KB

MD5
544bc27ccc74c04fc739699e3b64b8ae

SHA1
029cd9741d5ebfd707f29ccf0904ce3d8409f3d9

SHA256
8fd4015568eebb08b12ad0b154d044cd5bc13c17eb48a6a9dc229b8b643560a2

SHA512
8d496fb9c8563d00a6f61ee04f999c418ffc17f52ddc934460c3e199a075944129b264a8cb4768dbff9ffcbab9859bf8b0b6333209093392f0f429803d271c5a

Download Submit
memory/1876-0-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/1876-1-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/1876-7-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-24-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-23-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing