7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9

General

Target

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
Size

12KB
MD5

01fdd626e033f1c89b8a7dfda074a3a0
SHA1

a62a589e7c1699b20099f3e7ed2a9084365022f7
SHA256

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9
SHA512

0c083872ead06682e972b409784d759103d5487af67ee867d8b6284743c60bd99e0c61770b79de42822c52f7781b8db38f0fed81f24b3508fca91186a0103094
SSDEEP

384:pL7li/2zDlq2DcEQvdhcJKLTp/NK9xarp:ZZM/Q9crp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp6D5.tmp.exe

pid process

1048 tmp6D5.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp6D5.tmp.exe

pid process

1048 tmp6D5.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

pid process

1976 7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

description pid process

Token: SeDebugPrivilege 1976 7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

pid	process
1048	tmp6D5.tmp.exe

pid	process
1048	tmp6D5.tmp.exe

pid	process
1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

description	pid	process
Token: SeDebugPrivilege	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exevbc.exe

description	pid	process	target process
PID 1976 wrote to memory of 2508	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 1976 wrote to memory of 2508	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 1976 wrote to memory of 2508	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 1976 wrote to memory of 2508	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 2508 wrote to memory of 2672	2508	vbc.exe	cvtres.exe
PID 2508 wrote to memory of 2672	2508	vbc.exe	cvtres.exe
PID 2508 wrote to memory of 2672	2508	vbc.exe	cvtres.exe
PID 2508 wrote to memory of 2672	2508	vbc.exe	cvtres.exe
PID 1976 wrote to memory of 1048	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp6D5.tmp.exe
PID 1976 wrote to memory of 1048	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp6D5.tmp.exe
PID 1976 wrote to memory of 1048	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp6D5.tmp.exe
PID 1976 wrote to memory of 1048	1976	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp6D5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
"C:\Users\Admin\AppData\Local\Temp\7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x1gomhpu\x1gomhpu.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDC7FD4367741F3BD222BC768ABA888.TMP"
3⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\tmp6D5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1048

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
f81ed3e0ed502cfc78137ab0d44c89c1

SHA1
a4b1b9210c891e5f2d89f72f82af63f52cef2784

SHA256
08a6d7d6ab7e52d21deed273d793fface8d0a03b37e9bdb69448aca484ec4b8f

SHA512
59b499b914906c0fabe7a6f738636950c5b99b0dea605003ded7006810a8a021927e8de0385f36837f97dd742538c7bdb4a1f898c9d066633183cc225aba7861

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FC.tmp
Filesize
1KB

MD5
a10fa81db236bd81dcd61fdb202b8d53

SHA1
8b8ce88948e26298b492044d05374bec76833be3

SHA256
93c55292613a78545dc47703b633c39e2066490d062f49e738172d6391c0145e

SHA512
6a1e6e0af4a90cc6ab4a3895a10af40374af2fbad20b42f9a25fab0fad20ca06e017cc62ab8fe3fb49cfaa6d7594255754f36f485af8f7cc17d7cce9b77b8e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D5.tmp.exe
Filesize
12KB

MD5
79ca8f0a2db3864409823a683102666a

SHA1
0c3007051dc87e6f756ab0bf7764f7910e19e9a9

SHA256
7b5e7e61cee7e61dd6384cbaa50cd93269328b7d0f3a7591e9cd0757bbf6e819

SHA512
de8563bf146c2ec0b7df71c603e6e9892679f78756331cdede0b3bc89bc03cb7126f1b4a9b5a89fc867d5436039fd033190bfd7d6208f66f82719cb6c56e3092

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEDC7FD4367741F3BD222BC768ABA888.TMP
Filesize
1KB

MD5
dd47c1cc6ab36fc06c5c00fade8667cd

SHA1
c9bcbb81437dd2cc41ec45efcfcb1893a768dc8a

SHA256
e7887101071583990fac8b20e3b47114cd6491cfbbe1b73163805431e56f40cc

SHA512
6722d191f896b57d4bc2dba6680873c9bb945c4ede1bdfd00b646a4ebb2a02671c72e521a56df1f82b617ae81aff49675a19d15a9d297f1489cce30bcc77a25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1gomhpu\x1gomhpu.0.vb
Filesize
2KB

MD5
410d5bbf609e6b119aa3ddbad522622d

SHA1
db23fa6809785ddd17bb2dd38c80a37fb502dc6b

SHA256
b746ae0400fa07563e4587cc11751dcc2cf15bb4748bf2e89fd94e0e602186c7

SHA512
9f0e422bfa6dd82942663f30fd97e200530f56c72b43eec0f48d20ad2832cf36a2f8cc3c228f312f78c03cbb4b01317fce938737ba40212735630f2173fc04cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1gomhpu\x1gomhpu.cmdline
Filesize
272B

MD5
b0b3e8b5cc4d1732d796bf60f7edba92

SHA1
ef844b649e397140fe94e944c2d823f6c1efba07

SHA256
95e3467ecbe1286ed894a53258690e8ee3dca0d8be5d90771f2a52e3e4f682fe

SHA512
922d2e34140932f848434d3532fe910a52e60d0bcefc6eb9612a4240ed5c811d4776b5e71088324e5f382078608cf554848cac3e3b1dd2e564080e4d9613529a

Download Submit
memory/1048-23-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1976-0-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/1976-7-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-24-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing