492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054

General

Target

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
Size

12KB
MD5

18be8734f158add81a1d6123270c7e10
SHA1

33e6e05ec5f55c7945b8993dcb947ad4b3a6c165
SHA256

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054
SHA512

a87de3c25201319c005c14a9328eada2640b220c8c618df3cf6e22dfcecd80b9deb240a87ed33f3e7a5ba2ab62a851003a8661187a52b931d3bc825d57f3ce47
SSDEEP

384:EL7li/2z8q2DcEQvdhcJKLTp/NK9xaet:S4M/Q9cet

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp9493.tmp.exe

pid process

2572 tmp9493.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp9493.tmp.exe

pid process

2572 tmp9493.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

pid process

2200 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

description pid process

Token: SeDebugPrivilege 2200 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

pid	process
2572	tmp9493.tmp.exe

pid	process
2572	tmp9493.tmp.exe

pid	process
2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

description	pid	process
Token: SeDebugPrivilege	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exevbc.exe

description	pid	process	target process
PID 2200 wrote to memory of 2856	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 2200 wrote to memory of 2856	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 2200 wrote to memory of 2856	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 2200 wrote to memory of 2856	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 2856 wrote to memory of 2612	2856	vbc.exe	cvtres.exe
PID 2856 wrote to memory of 2612	2856	vbc.exe	cvtres.exe
PID 2856 wrote to memory of 2612	2856	vbc.exe	cvtres.exe
PID 2856 wrote to memory of 2612	2856	vbc.exe	cvtres.exe
PID 2200 wrote to memory of 2572	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp9493.tmp.exe
PID 2200 wrote to memory of 2572	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp9493.tmp.exe
PID 2200 wrote to memory of 2572	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp9493.tmp.exe
PID 2200 wrote to memory of 2572	2200	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp9493.tmp.exe

C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
"C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxhnoxpo\xxhnoxpo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9888.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE534499FA25744518AB08EA7691AF97D.TMP"
    3⤵
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\tmp9493.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9493.tmp.exe" C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2a091fc7e2962c4a87f5eb685f72c737

SHA1
10a4277f18b16bea1d2d24a491361bf7b3d88497

SHA256
6947509281d83fdebb77229cd46aa377fe2511d38ad7a5cf27984fae03be96a7

SHA512
aed1231acf625157fb767e968465312bd5a2f74deb983eff00411a5dce3dc9a23868cf82eea9bf2e1a73f8b79875591cf4dcb2af06f2a24ffb6f406931f26cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9888.tmp

Filesize
1KB

MD5
4e42413987cafe4b583d7f3c800b60df

SHA1
21c13b4cb6941c827ca1266867393ae71ec87f68

SHA256
e298c723b54c909074ed72d14efcab07043ef5a13816237b84c4fe23b5a40757

SHA512
cbe4cc0ea03a4e259b4baafada13650088e881e7026d3871c577814dab056083ea1ac9a5c2c86ad4296cd55d9f96fdb9eac093d006b86c8b5bfd7829df630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9493.tmp.exe

Filesize
12KB

MD5
09922c1692f542b297ecd914e1a738ae

SHA1
a0bc7d1c594fe1ddbcaf3f48f324534e53ea206f

SHA256
bda39523a6776f7ea6c55d3fa6c8efb887b16386235e71e8c7ad978c555ec030

SHA512
90508c0e1ece869defebcb326cce69801d8e56b87257caf839351af7291797db6dc854f9b1fca8f002eaeca2af9b2ac867c5e679935142c13d24f84f94b7edbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE534499FA25744518AB08EA7691AF97D.TMP

Filesize
1KB

MD5
8e81a1433812a5f36cc4fd04251bacde

SHA1
5496683f56c869f6ed8fd4252b55abad5b8badf5

SHA256
c406b50cdbd000848a6e7bac98bc442112395f529a30a817ae7b5bb4a538dd33

SHA512
cb868359ec8bd85124752e543485cfc465de7fc361b0e9312d5d29761de0ce112871fa2f3ed71b0d4882b7ab4235aef674f1bd2fc7f69a7c88e31eaca58166ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxhnoxpo\xxhnoxpo.0.vb

Filesize
2KB

MD5
f0490a7643b06b0972fe62ab4aa5eefc

SHA1
8d5f2b302143be3ee1575951eaad72e25672170d

SHA256
3a8d131ee29a30aa0ea769997f3749c660ee5e18160287253d95d508064097a6

SHA512
4ea467851f45beba49917cac1155cd606130c00c82b6222dbcd76a8fb18521007fafce0529760ec520b4bd8fdff77acb1d7dd35f692f4f2c37a41ffbd9c6f574

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxhnoxpo\xxhnoxpo.cmdline

Filesize
273B

MD5
6ca2e3a05ffde75cddf71fe9e6f6a8b1

SHA1
d0a6fe1bebefde21bb061794cab3ef451e5df681

SHA256
799901fd975128384ae66ce56731b7a537f7b55486504e6db4be86c93993b614

SHA512
cabf05c169465f11ccde0dc4eb11b06c4a09383c479fb78b56d379b5cad9c735326dd03584ac64c9c23f3fa04201ff2b8151be4a4fc9548fa372fce2e1d5071a

Download Submit
memory/2200-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2200-6-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-24-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-23-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing