592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4

General

Target

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
Size

12KB
MD5

1ffefb205add31fb90c552f0b7f83dc0
SHA1

c5c271404e33e59c6df119ac465b5e30e9df0f31
SHA256

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4
SHA512

858953fc6cba9e28e97315c1c0c0592c8f3fd8aad709b8f27345befb8ee25760223ae6765b748ce2c7eddfd5d81845e2f5ee33b151cc18f3c63007af3bbc4f98
SSDEEP

384:gL7li/2zEq2DcEQvdhcJKLTp/NK9xa1+:+oM/Q9c1+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp25E9.tmp.exe

pid process

2592 tmp25E9.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp25E9.tmp.exe

pid process

2592 tmp25E9.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

pid process

2864 592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

description pid process

Token: SeDebugPrivilege 2864 592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

pid	process
2592	tmp25E9.tmp.exe

pid	process
2592	tmp25E9.tmp.exe

pid	process
2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

description	pid	process
Token: SeDebugPrivilege	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exevbc.exe

description	pid	process	target process
PID 2864 wrote to memory of 1852	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 2864 wrote to memory of 1852	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 2864 wrote to memory of 1852	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 2864 wrote to memory of 1852	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 1852 wrote to memory of 2640	1852	vbc.exe	cvtres.exe
PID 1852 wrote to memory of 2640	1852	vbc.exe	cvtres.exe
PID 1852 wrote to memory of 2640	1852	vbc.exe	cvtres.exe
PID 1852 wrote to memory of 2640	1852	vbc.exe	cvtres.exe
PID 2864 wrote to memory of 2592	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp25E9.tmp.exe
PID 2864 wrote to memory of 2592	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp25E9.tmp.exe
PID 2864 wrote to memory of 2592	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp25E9.tmp.exe
PID 2864 wrote to memory of 2592	2864	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp25E9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
"C:\Users\Admin\AppData\Local\Temp\592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mhm3r0kk\mhm3r0kk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES275E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60E6CF8A71F945B8AF776150E1D6484C.TMP"
3⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\tmp25E9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp25E9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2592

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
c1c99f2c7dcaf64e5f4672bc8e5dad60

SHA1
8d70025f25292f876c53b43d62cecdc190969fe3

SHA256
b98e49ee3689f0c5cdd9172c26dfbd5a0a59622fb92bd730f4e191fcc61e3c9e

SHA512
a8a6aeead184f4fb60a6441697769d2d2391143289435f1d10e291827c7fe7da2127e0a353b29a7459e073eca8372c8a098f2f5c92766c02845576f407acbcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES275E.tmp
Filesize
1KB

MD5
940d05f819fb24dfbb81ec0fc00bdb3d

SHA1
bdfc28773cc81a2742f1a9118fd2468b415ea990

SHA256
afa7e17c240e520e00005213eaf1e7e90b3af0107ff20b9e983c22fec1f406c2

SHA512
be204f65a1127e21cdffde8d9439f9989f97004bf04ab6185ce33f637a1e6f15d7b42eeb9bef16fd2d2dc1de2cec5aeb583215eac1aa9dc0f3de6b327778f770

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhm3r0kk\mhm3r0kk.0.vb
Filesize
2KB

MD5
0e3299c72ceda95b5704d674c739ca2d

SHA1
91f1f0e903decf7c51e82263bab3b2bf74b6b4d2

SHA256
dc06d9f9de9f93d5da6fa0658be3105415c32f051b4fa99e02decd3dc1f7980d

SHA512
38271c49fc3580139af592b5e6c33df06f2dd2e0cd7759f2e225ed4ec8e5f6521932753b9e4cb25ba627d078a1f5159aaac58efad71910bbde8fd7f66f9746c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhm3r0kk\mhm3r0kk.cmdline
Filesize
273B

MD5
1d3a4f9c71a5b9679fccc6ccdec11bfe

SHA1
22fa2e09c2ac2aa2b11739ce261cdb1979c8f51e

SHA256
dc57329f3d0cc7d0f1ba07790518e38026f418e20513b913c8e3d3e3b56314e9

SHA512
70f9971aaeac8e265fa105c6c06febebe85623e88e900abe451470505241ffd49e170fa54cce830f7871697e278e4f3fce5dfbc6aab3514420f7003a9bfbb707

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60E6CF8A71F945B8AF776150E1D6484C.TMP
Filesize
1KB

MD5
f38cee38bd86d1d99c0f34f40964fd55

SHA1
936d65d69b406150e20243ddc112d2fee8c1641d

SHA256
6afbec681d76029d57db1aed2cbe09481815630fc6e3493cda2b1a72850fc16e

SHA512
56fd098ec0491d479ef1ff001483a6caf8e69c1156f9e55a1254103fa06e99a1f9534ae5e3e8607ac65a6582783be11dd0b0a38f0c7fde5cc5712e71b1510c1a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp25E9.tmp.exe
Filesize
12KB

MD5
79efcdaa4e4fc78ec126358138e737ac

SHA1
012c4f9bd3ea777a75c6b995b985cbb7a6cd2dc8

SHA256
1ea0622a1217d78b32a05af9d313c9ef2bc3fc3f270a39ca02ee93730f93b202

SHA512
bac18b8a0e35d9bf460e8cbf307331203914df8ce2ea270fbceb5d539f361446207aab4b1254c3883788d381ccd8d060742ad65ecd0a63b3eec21c7e1529af06

Download Submit
memory/2592-23-0x00000000012E0000-0x00000000012EA000-memory.dmp

Filesize
40KB

Download
memory/2864-0-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/2864-1-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/2864-7-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-24-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing