5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5

General

Target

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
Size

12KB
MD5

244c4da31c3f6f37d13d393570c84890
SHA1

b9ca92a613daa7f4aa4a6b2a9acf3e8b538c0759
SHA256

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5
SHA512

925f5ca9b76885669513e2e1bbd11c8a8c045ac259ddcac8d061dd18712f8273f8f357ad48a26976a155b012e11cfbefd17c028ee2530824cb4bcc943f3880f7
SSDEEP

384:GL7li/2zHq2DcEBvdScJKLTp/NK9xapE:gLDIQ9cpE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp16FB.tmp.exe

pid process

2716 tmp16FB.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp16FB.tmp.exe

pid process

2716 tmp16FB.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

pid process

1716 5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

description pid process

Token: SeDebugPrivilege 1716 5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

pid	process
2716	tmp16FB.tmp.exe

pid	process
2716	tmp16FB.tmp.exe

pid	process
1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

description	pid	process
Token: SeDebugPrivilege	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exevbc.exe

description	pid	process	target process
PID 1716 wrote to memory of 1272	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 1716 wrote to memory of 1272	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 1716 wrote to memory of 1272	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 1716 wrote to memory of 1272	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 1272 wrote to memory of 2976	1272	vbc.exe	cvtres.exe
PID 1272 wrote to memory of 2976	1272	vbc.exe	cvtres.exe
PID 1272 wrote to memory of 2976	1272	vbc.exe	cvtres.exe
PID 1272 wrote to memory of 2976	1272	vbc.exe	cvtres.exe
PID 1716 wrote to memory of 2716	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp16FB.tmp.exe
PID 1716 wrote to memory of 2716	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp16FB.tmp.exe
PID 1716 wrote to memory of 2716	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp16FB.tmp.exe
PID 1716 wrote to memory of 2716	1716	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp16FB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
"C:\Users\Admin\AppData\Local\Temp\5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x0vh0uns\x0vh0uns.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1822.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37B0A6CEE43E48578E549C701DF5E66.TMP"
3⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\tmp16FB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp16FB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2716

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
a96472fd6a51215f9d4384d1e54c34c7

SHA1
71391b76ba6beb193ffcf740a753d35730b7c398

SHA256
23fb880e38ffcc43cdc554661dc7f30a0564768611fd113a7ca64c81139825ce

SHA512
c4c17f06a81fb688a8e2a7818df7940aad28b41de70819ff9f69532fe5e2af00ac8c8c85cb81a628c7cd4ce65a7b2109e32cf0c04b9d71dbf4e86094287dba8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1822.tmp
Filesize
1KB

MD5
a1bff1f60ce4792ca7a9955985681e78

SHA1
14ae9090cd31699b56b2240c9d956e6d0f8e77c4

SHA256
fec249ed485859568e7712647d1f9b1c4c85d6dbf7441a191ba4c91b914a5c71

SHA512
50bb0270a6692e826ef2684cc3c647c1c1c81bca2002436d3f6d7bfb54a8f0d6c596e167d283205dd947ec0b2ba15ecb120478908bdc05a395892409c68cd9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16FB.tmp.exe
Filesize
12KB

MD5
9eef9173f74f852da2de14934db9342f

SHA1
7a8e156a3d98e3f98a57417e03afe4fbd64ce4b2

SHA256
349314f6c2912cfb1d8f9111a23e869581c8ea50b31efbc5a5b59c2fcf047fd3

SHA512
0d1f05709edbe81c7896112d7283851131a020bfb3bfc862cb852e51dffa88662e2a4f47bbc8689e7aa0f4d45bd8498b59c6e71c46cfb3a67894f317ebc25767

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc37B0A6CEE43E48578E549C701DF5E66.TMP
Filesize
1KB

MD5
a17f9db9f9871429c296c3faa6a64dbf

SHA1
12c1778e02def064494875355a403727368049c7

SHA256
7fa085f9b66ac2f633edee8e2d7d68a1b4c71a6e09b0a40938cec1a9ad1642fb

SHA512
044d26c9664fc3e6872b22194c9cea9e6521e084c6bad0605785c6e5f3755a5f20f24205963bd9d95016c942280fcb14efde83291e7d0dc200d673f564e1d1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0vh0uns\x0vh0uns.0.vb
Filesize
2KB

MD5
7abaa5e5b33d333c3ee3decc80f6e896

SHA1
9caeb7771efd2ce44eb6fdc9f377f8a303ff8db0

SHA256
f11a7c5c233b895a0d78b7bea6089f8ad21ff6db61692475ac9724ef0ad3db5e

SHA512
37e1d42ab7dab3609df17e5f6026e76be1df335c76da644c263371201ae3a33dba46d0451d71cc1fbd292b50c427cace2517f612e94964c6bcf06c5845fcd5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0vh0uns\x0vh0uns.cmdline
Filesize
273B

MD5
245ec2207172b5d318e6b70ca54a75e5

SHA1
8ed871e1b619297443acaf294f12931dab1bea03

SHA256
5adc9d6acf1dffed127649aad1ea676a367891bf00fc4d179d0c699a5574cc3a

SHA512
5b1359b55fc000340aa617a5a1bcf3f9be7fd5e74a28ef901816e646dc1991aef6b8faf77c42588d30a8055eb30e3cc5859ca3443f5c9ca5b24fb911d935bfed

Download Submit
memory/1716-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/1716-1-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1716-8-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-24-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-23-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing