17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337

General

Target

17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe
Size

12KB
MD5

a436d5f2416bbb566dce80bc445b3ca8
SHA1

9bad0812eabf3cd59ba13480da40435e0a5fffb5
SHA256

17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337
SHA512

df3c3f03b5262178944cfdb6495f492a041c46782d12539d3595eb9b9a1ac1db861c077c5297433c78c48f614614c898ea67e7c0c873438b3c2c6771e91ad953
SSDEEP

384:+L7li/2z2q2DcEQvdhcJKLTp/NK9xaHw:o+M/Q9cHw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	tmp202F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	tmp202F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2028	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	28
PID 2256 wrote to memory of 2028	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	28
PID 2256 wrote to memory of 2028	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	28
PID 2256 wrote to memory of 2028	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	28
PID 2028 wrote to memory of 2368	2028	vbc.exe	30
PID 2028 wrote to memory of 2368	2028	vbc.exe	30
PID 2028 wrote to memory of 2368	2028	vbc.exe	30
PID 2028 wrote to memory of 2368	2028	vbc.exe	30
PID 2256 wrote to memory of 2708	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	31
PID 2256 wrote to memory of 2708	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	31
PID 2256 wrote to memory of 2708	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	31
PID 2256 wrote to memory of 2708	2256	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	31

C:\Users\Admin\AppData\Local\Temp\17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe
"C:\Users\Admin\AppData\Local\Temp\17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duv03voq\duv03voq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28306626AF543C0931D344E2544761F.TMP"
    3⤵
    PID:2368
- C:\Users\Admin\AppData\Local\Temp\tmp202F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp202F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
493f67d6275c42bab39b1c1a5a4247ef

SHA1
d3f7d1e09032f81ddfe97aeca2f482d33fe52619

SHA256
c76d66eac044b9aa50d6bc3edd6d8c3c6fe5d07cbc12a73784310fa1e8c2e48a

SHA512
9247eee8744d691ddd40735ee1a2538e5adf9f137376196ec6ddcd9b239a16e90027d0ccb99cedb59d03da4fc5b41cbe728f99e97c7cbf80e410f24c01e74bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21C3.tmp

Filesize
1KB

MD5
ddde15b16b1f361d875652f24e7c005a

SHA1
b030843b8d0fbdafe972e0f04611267e0419ffcd

SHA256
4e28e45c4320178768019ce1140abf60c9d8d4b7443f5dd11313cee91e94e8d5

SHA512
32500e333588cd0caa1c82b5d7ae986ee05445db985296eef066a55b7f7d7b7b756b0ffb0cbe84f50bada5744d12a5bd508636046efe187ecb9332ef9bb1441d

Download Submit
C:\Users\Admin\AppData\Local\Temp\duv03voq\duv03voq.0.vb

Filesize
2KB

MD5
82a7d70fce6ce22c55c3c0c066bf7b73

SHA1
c1dff740d34c833fec97f2eaa93658ebd1b23fba

SHA256
c0c966e6066998576955ac3e7314dad17dcad63599923b2e9f1d67bdb67cb824

SHA512
f016864b906f6f093b61d4e53341ba36b43535f2802ca25e61d18a57e2f150475b66f2946ee1da829dc0b87eb42cb51454e86c8c1a31cde359cbe54647d6e975

Download Submit
C:\Users\Admin\AppData\Local\Temp\duv03voq\duv03voq.cmdline

Filesize
273B

MD5
2a2e4bb9d667066227b2368cf14ed2d8

SHA1
8d19518895f00a2f00291bdc8414217b62a9bf09

SHA256
4a2cd1cd1855278d5267035602094a6dd4ffcba6b91fbe88a2df767aabba011a

SHA512
76818b3698acf825883c85fb1c9303985c162dcc94dc5c3b7058124c579279688e967edae7f4196f0cb3bb9eb0606eead5c72d00829c3022931dfc6c0748c657

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp202F.tmp.exe

Filesize
12KB

MD5
a9cc95204311828d47176a327a754e70

SHA1
0b6f0fe885a3c1d85028e1543ead431db8684b2a

SHA256
bf006c6e55a18abc2d7e5d3e47700d94d130ceac01da91b7caa0d29a77136b32

SHA512
3babd2ff4cb57f1e98ad62430ab7de83c6a72226dac883f2344552425da014588a5b10c427495b8341e6a23151ef51bb0cee6337bfbcdc886bc45f5ee2552de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc28306626AF543C0931D344E2544761F.TMP

Filesize
1KB

MD5
d36ca5b12ff2643db9456abab5c07620

SHA1
be9cd8b3ac0880d3c82adf3613df14698ef1309a

SHA256
5156a225551f59c2eb8e6550302322987808b81bd06efe084e05351f731c9c14

SHA512
f95cb9e3de248c814b8fd3b92aba843cbbcf1f2dfdd7336f0b64da6b0f64056c90d17c29c01f35cfeb24377231ebf2e02356a543c4399b325ac3a23790ff0b7c

Download Submit
memory/2256-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/2256-7-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-23-0x00000000012D0000-0x00000000012DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing