7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857

General

Target

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
Size

12KB
MD5

2b887821f2ad5f68620565878f9930f3
SHA1

9b060c27b03283e44f7a41869a88b0495d83d8ae
SHA256

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857
SHA512

51e85f96d303f5a3259222ddd7d157e352adb5da91cd11b56f67096533509e4ba9e3319d90ef5f575b4ddcd9a232e9fcc73b0638f29b9352ddd410a7d69ade73
SSDEEP

384:cL7li/2zWq2DcEQvdhcJKLTp/NK9xaPv:6OM/Q9cPv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1C96.tmp.exe

pid process

2996 tmp1C96.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1C96.tmp.exe

pid process

2996 tmp1C96.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

pid process

2052 7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

description pid process

Token: SeDebugPrivilege 2052 7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

pid	process
2996	tmp1C96.tmp.exe

pid	process
2996	tmp1C96.tmp.exe

pid	process
2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

description	pid	process
Token: SeDebugPrivilege	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exevbc.exe

description	pid	process	target process
PID 2052 wrote to memory of 1676	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 2052 wrote to memory of 1676	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 2052 wrote to memory of 1676	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 2052 wrote to memory of 1676	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 1676 wrote to memory of 2952	1676	vbc.exe	cvtres.exe
PID 1676 wrote to memory of 2952	1676	vbc.exe	cvtres.exe
PID 1676 wrote to memory of 2952	1676	vbc.exe	cvtres.exe
PID 1676 wrote to memory of 2952	1676	vbc.exe	cvtres.exe
PID 2052 wrote to memory of 2996	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp1C96.tmp.exe
PID 2052 wrote to memory of 2996	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp1C96.tmp.exe
PID 2052 wrote to memory of 2996	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp1C96.tmp.exe
PID 2052 wrote to memory of 2996	2052	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp1C96.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
"C:\Users\Admin\AppData\Local\Temp\7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzvant1s\xzvant1s.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41E647C3E1A446FABD6FB4E2C1928813.TMP"
3⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E2B.tmp

Filesize
1KB

MD5
0ca343ba445faed9192b8d8855216d3a

SHA1
c2d7b3582d8a4648039568058db5a8d7bd32afc4

SHA256
022ac51daf7b97c5be51ce541a6574a42597dedb640c229c390a95b4cfc3c23a

SHA512
6800c22499b658a783389897d925ba3efcd2ac796fad6bbdf669bbf9e1181d31218163c3da5c2b0daba6ee1aa90c33094a1d2b243248131d05e5af8cd19d7d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe

Filesize
12KB

MD5
4e5409d980222dd9641c551d97e9afd5

SHA1
c75606a596b3168e1adb3ae0ae2448b30a22650e

SHA256
5980721e2e4c7b8ddd64f191c2fa0b1b6e59e2d8d397760f6a468dfdb95915f5

SHA512
787c60148f17629c85b378521cc8d212a4f3b3402b0c0e476a866870d5d1f1c018d43ac3835c57274758549d2f474c32059d1185b84cb6b5becf961272652ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc41E647C3E1A446FABD6FB4E2C1928813.TMP

Filesize
1KB

MD5
5bab6947c0a5d44162ca46938193b5ec

SHA1
af6bdd486a14cf45d72266378cbd28d0a2487ff1

SHA256
07c18bbf7c5683f88d6ad03f6f4fbe534614aef51ece97fa6f052eec09f87bfa

SHA512
db61a26f2e7fd15ca58ca2f67b9414742203ea0203b20dce7d5086d642e3177911da5c9c9fe15a4e89f86d5ac18ff2760e201415fb5c9bc0ace01fbb20b1d6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzvant1s\xzvant1s.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzvant1s\xzvant1s.cmdline

Filesize
273B

MD5
0b85f318fa03458965b77703bdaac906

SHA1
423c408e2444aebe67f63b9b6a492854ba55ed61

SHA256
ea06706da3d003375e1d51cf9e8fc127a9571ce6f280548412b11a9e3638f8cc

SHA512
3be912ff91edd5c492d45840713c69cfc6133f03d687f1009fe4e45dc63a3bbefeabbe2bd023b7e7e2ccfca47e59f04737468b31febf49ef897edfc1cad0c6e8

Download Submit
memory/2052-0-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2052-7-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-23-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-24-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing