881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83

General

Target

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
Size

12KB
MD5

70b79c42ae595fe214e60a96c7881ca0
SHA1

5f336d3147256b633c1b9c09c3132f3ea199c967
SHA256

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83
SHA512

2ffe1e2c166c1c963e8133778e98f213aefc06ee6b61a3a0a332ea3301d1e3a3fe8324bb81531ae482a29d1d07167fbb86b24e8e4e939643cbdd98a4f150c54b
SSDEEP

384:jL7li/2zWq2DcEQvdhcJKLTp/NK9xazx:nOM/Q9czx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1C19.tmp.exe

pid process

2536 tmp1C19.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1C19.tmp.exe

pid process

2536 tmp1C19.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

pid process

1728 881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

description pid process

Token: SeDebugPrivilege 1728 881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

pid	process
2536	tmp1C19.tmp.exe

pid	process
2536	tmp1C19.tmp.exe

pid	process
1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

description	pid	process
Token: SeDebugPrivilege	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exevbc.exe

description	pid	process	target process
PID 1728 wrote to memory of 2688	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 1728 wrote to memory of 2688	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 1728 wrote to memory of 2688	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 1728 wrote to memory of 2688	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 2688 wrote to memory of 2588	2688	vbc.exe	cvtres.exe
PID 2688 wrote to memory of 2588	2688	vbc.exe	cvtres.exe
PID 2688 wrote to memory of 2588	2688	vbc.exe	cvtres.exe
PID 2688 wrote to memory of 2588	2688	vbc.exe	cvtres.exe
PID 1728 wrote to memory of 2536	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp1C19.tmp.exe
PID 1728 wrote to memory of 2536	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp1C19.tmp.exe
PID 1728 wrote to memory of 2536	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp1C19.tmp.exe
PID 1728 wrote to memory of 2536	1728	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp1C19.tmp.exe

C:\Users\Admin\AppData\Local\Temp\881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
"C:\Users\Admin\AppData\Local\Temp\881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yg3g5f02\yg3g5f02.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EB6EEE0F2045D99D2A324A3910D216.TMP"
3⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2536

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
555bfb36afca171f92bc0e490458ffde

SHA1
027768fa73618f032cc8d82e17b565ad8277ddba

SHA256
be8d4404a08d1f2a813a5bd2e8d628c33bb92152319df350928cc0ffa914e065

SHA512
c9ab2ee1a7f56825fd819bb0f60ecbc24f3bae6db6001d2373f23a2aa7d0d3d12af0e1d634358e99571b5fc11d197f397f266d4bd77f7e6d1357740d066d030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1CE3.tmp
Filesize
1KB

MD5
3007f27ffd331d20601a72beda08672c

SHA1
24049eabd6e792c11f04394efa4b6f9df341e790

SHA256
4eba133fa3b5c95fa59d2831ac55aeac3c045a21a90d6f78f9d9f7fa2d85eb0a

SHA512
9e670a3d7b7adf242f812329ae1b603a29cf2e70aedbf865986951f7f40dbff5d54fedc5ee859e27d17916d7142fb80059b519609fbecab2ea53b01415277b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
Filesize
12KB

MD5
8fc7de7ad795cd580ae6e0b21f780d96

SHA1
69407e87723256ebc19fc2c9a9387f789813e380

SHA256
8a023f1b44a0c50cabc02a3b72d19bffb80eccbc63a42454fd564817b947c18a

SHA512
d117729e9b21acd5996cd661fe98741545c007919c16eca50638d3d189f133fb67678dc396e44941cfc5f4f508c2189015a76c6a3dd5acc60a7fa920dd9a7f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4EB6EEE0F2045D99D2A324A3910D216.TMP
Filesize
1KB

MD5
dbf7768d95281981e2d3f079567b70e5

SHA1
e5913767e56d1bc47b66f08bf5428712c8021a6b

SHA256
cf1edeeaac7e57324122ef6632f842a29164d34ace4a018379107c2ad5ba764a

SHA512
65b2ccc4de8f8b33b7906879296821f94501bac7b4c9d61f611399c2cf61e4772e5568e4c73f56e6d113a8cebc67f615463f5aabefa0c7135c5db8f19358d526

Download Submit
C:\Users\Admin\AppData\Local\Temp\yg3g5f02\yg3g5f02.0.vb
Filesize
2KB

MD5
553cc9eeeb30b4c07a55307cf44aa08b

SHA1
43bf2f1976f0d56eca917e6ab0c1e214ec3d9d90

SHA256
11b0a5cbfd37c66afbd9648aca5d98dbf89f09bcbc449b8c1977f8e0eb615270

SHA512
32b461a40235291d7e8daecc26574984ea7bae5abf79c7ddfa3bbb3ca88b2d3f12bfbd0628b53c89cd8bd460a71f01be0fbc000c3c361b5631c47fbb8bd63229

Download Submit
C:\Users\Admin\AppData\Local\Temp\yg3g5f02\yg3g5f02.cmdline
Filesize
273B

MD5
e2f3ceb3f8afa0a9a1b488ecf7afe233

SHA1
08f948a299cdd5d2d7793ade6ae88d0c5332f4a3

SHA256
372dbba738fd4067c1b6a77d98a834733e9d791498148cdb6f2aeee8fbe5f4fe

SHA512
1063f790911ef388435516601c228d963c8adb15d2b249700c37e48a4bce298c256a297163649386c0b189981590e61d02bc1b3fb87c8f98a29deead1c49099c

Download Submit
memory/1728-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/1728-24-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-7-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-23-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing