22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb

General

Target

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
Size

12KB
MD5

2f773450a270914637e077e3abf22eb9
SHA1

50e57b7c113604c9ee2ee2b3bd945985998f33f6
SHA256

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb
SHA512

bd35c184d8656c99737344732fa3ab11d4e0caf5c05f1ece2e6eedf2553e79b37f2ac54552546dc03ce27d72363b083d6319ec623928c1d7d1dd67c7be157181
SSDEEP

384:0L7li/2zpq2DcEQvdhcJKLTp/NK9xa8A:ihM/Q9c8A

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp23C7.tmp.exe

pid process

2672 tmp23C7.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp23C7.tmp.exe

pid process

2672 tmp23C7.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

pid process

1896 22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

description pid process

Token: SeDebugPrivilege 1896 22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

pid	process
2672	tmp23C7.tmp.exe

pid	process
2672	tmp23C7.tmp.exe

pid	process
1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

description	pid	process
Token: SeDebugPrivilege	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exevbc.exe

description	pid	process	target process
PID 1896 wrote to memory of 3052	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 1896 wrote to memory of 3052	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 1896 wrote to memory of 3052	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 1896 wrote to memory of 3052	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 3052 wrote to memory of 2740	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 2740	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 2740	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 2740	3052	vbc.exe	cvtres.exe
PID 1896 wrote to memory of 2672	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp23C7.tmp.exe
PID 1896 wrote to memory of 2672	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp23C7.tmp.exe
PID 1896 wrote to memory of 2672	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp23C7.tmp.exe
PID 1896 wrote to memory of 2672	1896	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp23C7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
"C:\Users\Admin\AppData\Local\Temp\22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xuz2kcwn\xuz2kcwn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES255C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0DDE3B4769947D386CDAD62CC3351C7.TMP"
3⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\tmp23C7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp23C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
65509caaf3d9fa808c3ef2097a02c733

SHA1
6b7b3f5600f9665bca400f15353235c2d78be3b2

SHA256
b36669675116427b0cf6b1399fedb5452820d3fa9c7680cce8db3a1fa5c59bcc

SHA512
1e72c1e79db480e981672b6f13ba1dc5e735e64af4f205ac92b514d2dccd0e2eeb0fe73b10c6b0580021c4c6821ff8c426c75aee635ee1ed35bff6f8aa3dcba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES255C.tmp
Filesize
1KB

MD5
28eb10ed32a13d78ffc48b0ce44e32d0

SHA1
4b71b0a3847031b59c4ad57c510fb35e53fb6f9a

SHA256
c17133bd1b0bd6211606ada8b417edb64fd4c5c159f9c19b8089e2e057f0c332

SHA512
4e892b90ae254747d3c313cf3f8d697e4b270eded0355e3caf5175467b5e386176a7bcc50d8f683b273e3426c008fee8cb1087efad1cc34be1ef78cb329a3eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23C7.tmp.exe
Filesize
12KB

MD5
9a33b150125014dd9c412e1f599609ba

SHA1
be55a8c704523193dd67df8184e808a79a3f28c1

SHA256
aa0e5741c0ca345618182ded39495f9ef883d6bb48d2c6cac826a08ff6445e5d

SHA512
f88da32a751561c7a14c29c2957efea938d0d6f3c3d20371cf8a3491c3fdf80eeffd278be010e88193c5be86677e957f01b5c3af359f40e9e7a4be69535647f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0DDE3B4769947D386CDAD62CC3351C7.TMP
Filesize
1KB

MD5
86f17bf53268dff068820347f535db31

SHA1
b935bc95cf305e20ff000caa67bdef54b418a53d

SHA256
faf706f82832024c2b006cc823e775d2f2bfe03e08c008821e04a848aa9d6533

SHA512
6e4c765dfd6b1913586c8de59b90cf5173b70d6c00309ec930e5a7d463df3f7b304d2c8c70f486b07c5c61ea794d4e1bb5bfbbfc63045b72d94972bcfbd05178

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuz2kcwn\xuz2kcwn.0.vb
Filesize
2KB

MD5
eae44bb33f7e40c4863a2a0e58a8f2be

SHA1
d4af4c3458b89c073dc810ea527c00c9b1e9c990

SHA256
24a42d448c9b2f83f5838f3fa7ff3e3e2a7b91ce6dbd55a651e5f9bed9003182

SHA512
7a7c7baaabae2bff989c7918c6476d03e40a4d5b785a228d30be06e74762435a8de18569609b46bd26be1877dad58eeabdd3b3c02a7fca981e40d9f403ba73a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuz2kcwn\xuz2kcwn.cmdline
Filesize
273B

MD5
c5c165793df7022ab6009c6a3528bc42

SHA1
e89b3f69e6130002f1fcca713d76821d4c36cf01

SHA256
12218b832d7d222ef59e175584fd933926ca343c60cad0773d030cbd64b74677

SHA512
3e3f584dc3145a7b9b5546d58ad014e4b3ac776b94f18a7c8883a8e8b4895eed1e5dfc439a145033e1d53c925960783e5b89f85f1939b76978c7fb0a7badb197

Download Submit
memory/1896-0-0x00000000740DE000-0x00000000740DF000-memory.dmp

Filesize
4KB

Download
memory/1896-1-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1896-7-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1896-24-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-23-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing