51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf

General

Target

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
Size

12KB
MD5

235bad5785640a23173b6424bcc1a650
SHA1

4ebb71a2e03f2d44acefacf1e922ec21825f1859
SHA256

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf
SHA512

e9e6ef1677168c959af162c554e93f546e646f6a88e2e6e0bb55fa9bb471ca07a7ba6fed48d0bb0d94d68edfc6f1075bbb38ede943f78613ea0bee44ef6d869c
SSDEEP

384:aL7li/2zoq2DcEQvdhcJKLTp/NK9xa8e:EMM/Q9c8e

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp3A43.tmp.exe

pid process

2732 tmp3A43.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp3A43.tmp.exe

pid process

2732 tmp3A43.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

pid process

1688 51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

description pid process

Token: SeDebugPrivilege 1688 51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

pid	process
2732	tmp3A43.tmp.exe

pid	process
2732	tmp3A43.tmp.exe

pid	process
1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

description	pid	process
Token: SeDebugPrivilege	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exevbc.exe

description	pid	process	target process
PID 1688 wrote to memory of 1728	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 1688 wrote to memory of 1728	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 1688 wrote to memory of 1728	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 1688 wrote to memory of 1728	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 1728 wrote to memory of 3044	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 3044	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 3044	1728	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 3044	1728	vbc.exe	cvtres.exe
PID 1688 wrote to memory of 2732	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp3A43.tmp.exe
PID 1688 wrote to memory of 2732	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp3A43.tmp.exe
PID 1688 wrote to memory of 2732	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp3A43.tmp.exe
PID 1688 wrote to memory of 2732	1688	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp3A43.tmp.exe

C:\Users\Admin\AppData\Local\Temp\51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
"C:\Users\Admin\AppData\Local\Temp\51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fha2qyxy\fha2qyxy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC684A5BDDC84584857C1BD063E138C7.TMP"
3⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\tmp3A43.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3A43.tmp.exe" C:\Users\Admin\AppData\Local\Temp\51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1175978d3091e9bee5db76440b9bdaa4

SHA1
a6198a5d9d75b7e8ba076d97d5b88f59356cdcb6

SHA256
e523f5fa0a51cd9a6b171ce0f9628359431c8bafb36ee8dd840907a5a613ab33

SHA512
a2937b4a42ad7df2b83ddad1c3817432ac23214594ec1d08e2e3d1718f29c78ecd29c01bc072ec999b0d444bc0e2e029ff36ad70304c413a036d02169e23801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BF7.tmp

Filesize
1KB

MD5
6e1d490c856f1f88e5d785917f4d5c06

SHA1
bc428d68610a54067849f85dbe35c4f507b63998

SHA256
9f1cba88632eefd0ea961ad9d922454a04f7ec947519a6b59302e141001de4aa

SHA512
2eef532318e89c58db0bfcdad0d47dec36c52ec5a92a000848d9a30b6a71ad484b8d05707fee44bd409cdff6385cd6e96338515d4729750fa796a34963ee2939

Download Submit
C:\Users\Admin\AppData\Local\Temp\fha2qyxy\fha2qyxy.0.vb

Filesize
2KB

MD5
76dd5118cae0ee6772bce2852ee9a49a

SHA1
3067f5badbf12320a3d6def782680f0eba5bbe0a

SHA256
0c071bef990d32964d3f8560bc83593c76697aebd0bae2ffadbd7135808cb973

SHA512
7e4d5c4b17033712685c79e432780d1841e91fc44c011755a57d2ec8c4d9317c46b749b3a38d6dd4cadcea99d74f2f2d4a9ea8e8638e441961866f1c75696540

Download Submit
C:\Users\Admin\AppData\Local\Temp\fha2qyxy\fha2qyxy.cmdline

Filesize
273B

MD5
23fc95efdc7834854a49ffaa5edd9b09

SHA1
7b5844e2dd089ce50c4374064a976463d6e1b33c

SHA256
e6b95a2ebb77aae77d31a1d4199c30024b29216bfd19c8337375e0bcad93523e

SHA512
2693c964986e3e6712a56257d1ee88ad1f32ca0d109d57b0ab4c9f99c21e292b4c9e4d0ed86a2ff97ab67e48065fbbccff2e24ea574ea9bab15b86792bb5fa5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A43.tmp.exe

Filesize
12KB

MD5
6b44e472e22e03d3d2d2947ad3c74455

SHA1
6008f19095044e6f73a9b9554545ee074f4142e8

SHA256
79c781657f0613d8cbfc9ed6dcf3ae248ec1a43c7e9f1c4f240e71907f84c8b4

SHA512
d6a16bd673d5317faa88ca974fbb91bb7fb026ed8d78df62f88d50e7e15f05561441621446652d4838b3a880296f42afbdb0f3d887888b67c67025e75df2d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC684A5BDDC84584857C1BD063E138C7.TMP

Filesize
1KB

MD5
c84b987a607ea36d68a35fcfd47a2730

SHA1
9bbb28c5a7757ba7ccfba2377821d7fcb465c3c9

SHA256
a53da1e6238f22b92e8fdc3f8be16e01af4cd03e69ef2678961fcc6fbbf3ca3a

SHA512
ce806d8be4ae6ee04c54151f963e3d553af92c1b260825c667b94f347e07e0567d4eb7a5f360bce581d0f73a7db84d4d3b51054cabafc968588c65e927d0e071

Download Submit
memory/1688-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/1688-7-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-24-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-23-0x00000000013D0000-0x00000000013DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing