b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053

General

Target

b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe
Size

12KB
MD5

bb0646e925db1748156fad8f7b03084b
SHA1

df29851e36e0c8ffa3d916e2c978c83e410639dd
SHA256

b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053
SHA512

8cb22cd49523dbd01424d336b0de7b5001830e5229052bcb19ebd38796739cb54f166c6917d4ba97c949091f6a1077055c865109c89e8c3b82b195b51977109e
SSDEEP

384:JxL7li/2zWq2DcEQvdQcJKLTp/NK9xaWF:T2MCQ9cWF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	tmp1B5E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	tmp1B5E.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1208	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	28
PID 1580 wrote to memory of 1208	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	28
PID 1580 wrote to memory of 1208	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	28
PID 1580 wrote to memory of 1208	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	28
PID 1208 wrote to memory of 2700	1208	vbc.exe	30
PID 1208 wrote to memory of 2700	1208	vbc.exe	30
PID 1208 wrote to memory of 2700	1208	vbc.exe	30
PID 1208 wrote to memory of 2700	1208	vbc.exe	30
PID 1580 wrote to memory of 2588	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	31
PID 1580 wrote to memory of 2588	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	31
PID 1580 wrote to memory of 2588	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	31
PID 1580 wrote to memory of 2588	1580	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	31

C:\Users\Admin\AppData\Local\Temp\b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe
"C:\Users\Admin\AppData\Local\Temp\b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4vu4dcdd\4vu4dcdd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10BE604F6CF64203827352110EC51FE.TMP"
    3⤵
    PID:2700
- C:\Users\Admin\AppData\Local\Temp\tmp1B5E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1B5E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4vu4dcdd\4vu4dcdd.0.vb

Filesize
2KB

MD5
708632f6b9d50ae1d5d5e22dc4f79199

SHA1
394ba060b29863d126e2487515ce20ec94ea7ae8

SHA256
0b17fbe427d92bc06c88035f7e0b9eec28579fa96d83dfec74acd326cb94f1d8

SHA512
aa7fbd0ebc646ed39ad093b741869ddf4bf0569f905c9caaea1e20b7e3cd4838a3db91396ebd06a2f4c32006c258ebcb9782b18b2befd5c0ea171a6d9f26f064

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vu4dcdd\4vu4dcdd.cmdline

Filesize
273B

MD5
c2cface7b9766b0a491f0d4cd5542132

SHA1
64e15eff49c0a33a606add73571fdbee7e9ee055

SHA256
5e65f465d227ad112089442cb75f5bbb994556c8bbd887437fe659ae4161470d

SHA512
47eea2d25f315b093ee4c2877c18ab091d2f91452acdb9d9626397e6638e7d6f0062ec0cd0134116ac36823342e8198ea2c1c34846dd5707da34cd6bea0a44a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7b1818a32322e32a1966cf212aac3b43

SHA1
ff0e3fe9cbc3b6aa63e4f71eb832a12c17b129f0

SHA256
0ac3fec603a25e4209fe3bc6e7655648bcf07808272bca5a963b46c73a0584ea

SHA512
d8e5054429a34117694c4ab7e8e113cf5f4b15345425ab8962906a4366292b074ebf91e0fb3ce72e33c85ca925a49a8752ed4b3dca4820cef616b959e7480d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D12.tmp

Filesize
1KB

MD5
e36ac909b8ab58d1a965184bc513ae7d

SHA1
f9df79b26983f226a067bb6e0fdde814f91daad6

SHA256
15dd4d8d86dd41576e653862853c0a46c00ce6cb06faa6642513bb0f1228fd52

SHA512
ed60f1fc5f844dc4dec28b9e31a38a8a4329e7f235eef801bcfe258f07faddafc76c5abe4064a39bec7202e35d4a6018012513c8756f914235f162c6bdd83d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B5E.tmp.exe

Filesize
12KB

MD5
9b0666c6c5c03a181252ead26c7cef92

SHA1
29a5e3710b9b796a2fe30d59c64ab5a2aa0b3a27

SHA256
1a0cd291e8a1fde46615a126990f27efb2c0df2253fb699ced2c0a4d18b1757e

SHA512
a2006d5fbbe2ae807a31da52a628636c53533c6350cad932158fdc2e59e570479802a83012a64cd76b80cf9c3e3477423ba5acc9cfaa57464da5fad84e6ed876

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc10BE604F6CF64203827352110EC51FE.TMP

Filesize
1KB

MD5
f11252d075c6334813ea794b6b64977f

SHA1
535696e51252e6bce41eb235f8e226b829bef567

SHA256
497509d1801b2fdf57a73f7ae2cc02f59b8168f209da1212f3f1af4426e5f388

SHA512
c8cf9329ae225d8410255ef2812e85f7a22028181d09493dc2191117b0858332e29929d15f3e8b8ba5e9691abe8a2910a4eb3dd8eb1c490af7444691fe5bfe5d

Download Submit
memory/1580-0-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/1580-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/1580-7-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1580-23-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-24-0x0000000001180000-0x000000000118A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing