5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8

General

Target

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
Size

12KB
MD5

50f163f704c404eb0b78557faa9853d7
SHA1

8e5ba381b671052fef2bc83e8cd57417e0905655
SHA256

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8
SHA512

1e7f7ea054e0539564cb29ab4fe68a2a56905f61275aa46b9bacd08f271548b88a1996495418e3d18e403b8ba90a0bedcbaba78ec9b3d6a62ef737e946e481ce
SSDEEP

384:AL7li/2zuq2DcEQvdhcJKLTp/NK9xaNeh:eWM/Q9cNeh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp8B6F.tmp.exe

pid process

1132 tmp8B6F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp8B6F.tmp.exe

pid process

1132 tmp8B6F.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

pid process

1500 5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

description pid process

Token: SeDebugPrivilege 1500 5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

pid	process
1132	tmp8B6F.tmp.exe

pid	process
1132	tmp8B6F.tmp.exe

pid	process
1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

description	pid	process
Token: SeDebugPrivilege	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exevbc.exe

description	pid	process	target process
PID 1500 wrote to memory of 1396	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 1500 wrote to memory of 1396	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 1500 wrote to memory of 1396	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 1500 wrote to memory of 1396	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 1396 wrote to memory of 2660	1396	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2660	1396	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2660	1396	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2660	1396	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 1132	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp8B6F.tmp.exe
PID 1500 wrote to memory of 1132	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp8B6F.tmp.exe
PID 1500 wrote to memory of 1132	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp8B6F.tmp.exe
PID 1500 wrote to memory of 1132	1500	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp8B6F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
"C:\Users\Admin\AppData\Local\Temp\5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvibg5f0\pvibg5f0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES901F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1934DD31B6D64170A3DE57B4F34A36A6.TMP"
3⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\tmp8B6F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8B6F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1132

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
e4ca94cac2ac82bb1d4838d81949ed7d

SHA1
a1ab0b2e864948a6c5f7ced778994c20a451b5bd

SHA256
187c3da57885ba972bb6ce615045e9877b71ba401764ea1ef3a64a79d9ad661f

SHA512
3c12c66491f50b2a67429e31118a107d12ced9755056af4fe02de250fdbb4f60ed7a9b5950f1615fb00afda5dac138ae326845570d4767396757942642423f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES901F.tmp
Filesize
1KB

MD5
c187e308bfc9ae3741402d62c4bc06c1

SHA1
2ec61f93df13894146d895920f460ae3af211b7b

SHA256
481e189c710bf6877c8bf78bdc69d991079fed3082cd315019cf4be0bc66b6b7

SHA512
732b7d1a011ad1d3baed360e753ba58fe71948719c83061048f1adec817368d9ba614bcea125d2f8b33a9a8da9881957a8576e96c6f83db4d2077c36bfa79243

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvibg5f0\pvibg5f0.0.vb
Filesize
2KB

MD5
7ab119867f6ab2b66a14adc47ba0e3a7

SHA1
c1dc93d6cd94a0c163a1a95d89240a61ea5153ac

SHA256
9f4345f6b5061210a784a238a70a997d37a999df063be0dbdf2dd3fa16b3609d

SHA512
571dab1b75e7e2058f97afb071a9935eecf1882447b258ff17638df997db5b975d8448909933b073d88105468ee77e32d3e4091e8ef88b43b6c4cee9b72e3822

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvibg5f0\pvibg5f0.cmdline
Filesize
273B

MD5
c1579e035c893f4c5240f2f3540a8c2f

SHA1
5281d655096fd2496119eaa6c1d0d5f6632e348c

SHA256
5b65c670f1a8c5f7b948c70e89945523b05e4c7f486e3c9f6c580e4b51cb0061

SHA512
43b256da31ef1132d261b54dca962a28b95afd342daec13a2458fae00f9b1f767dd0f85f216bf50898eb0a1b95f047fa29a274a8a672f6adc3a0f789f680d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B6F.tmp.exe
Filesize
12KB

MD5
7f52a10450626ec73f35134f229d1bd8

SHA1
f6b174f1a434abfb043194cdc72c644f42d5bfc1

SHA256
a20a70735e0686ab6c8fcf419d0cc021c0601c76bc456212d8c779f47d49b5c9

SHA512
2b718a3b1bfadd3d3225713a471000865d097872a85e7671312603250443bcb2c032d65ebc9a1c4b0df96e2266c8504fb4ae61669e6094be67c2586038ae3026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1934DD31B6D64170A3DE57B4F34A36A6.TMP
Filesize
1KB

MD5
579ef4fc3c3392b5f438db8082cff6b3

SHA1
c85022d8fdf4216d92afd136f8a288d3ae3cb480

SHA256
3a96c980e15bf029bff6087da3dc2b9dd0fa96e3636514d96b861ff5fb712cb7

SHA512
df968ebabad58f26ff66e8cfb157f44e6c759777e43b15665dae2212031398bb3f857ef8d829790b901db2a879d8239db7a7af9b9428cb18a828577c1a75f9d6

Download Submit
memory/1132-23-0x00000000011D0000-0x00000000011DA000-memory.dmp

Filesize
40KB

Download
memory/1500-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1500-1-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/1500-7-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-24-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing