87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11

General

Target

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
Size

12KB
MD5

4079e086d7d00f7514942ec9b0f9e6aa
SHA1

f2941f8dfd886bd98cb64b7a6fbd9c9b9fd87dbd
SHA256

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11
SHA512

68fd6e11e70f45e5bad4eee89ec870b2a2c7be15cee8dd87910d13d86c898378c911dcfafcaa3db9c634fe555f9d7e354e2edb443c2dd82a27774fcc2b7e16c4
SSDEEP

384:CL7li/2zEq2DcEQvdhcJKLTp/NK9xarF:coM/Q9crF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2608.tmp.exe

pid process

2988 tmp2608.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2608.tmp.exe

pid process

2988 tmp2608.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

pid process

2020 87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

description pid process

Token: SeDebugPrivilege 2020 87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

pid	process
2988	tmp2608.tmp.exe

pid	process
2988	tmp2608.tmp.exe

pid	process
2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

description	pid	process
Token: SeDebugPrivilege	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exevbc.exe

description	pid	process	target process
PID 2020 wrote to memory of 1980	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 2020 wrote to memory of 1980	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 2020 wrote to memory of 1980	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 2020 wrote to memory of 1980	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 1980 wrote to memory of 2664	1980	vbc.exe	cvtres.exe
PID 1980 wrote to memory of 2664	1980	vbc.exe	cvtres.exe
PID 1980 wrote to memory of 2664	1980	vbc.exe	cvtres.exe
PID 1980 wrote to memory of 2664	1980	vbc.exe	cvtres.exe
PID 2020 wrote to memory of 2988	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp2608.tmp.exe
PID 2020 wrote to memory of 2988	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp2608.tmp.exe
PID 2020 wrote to memory of 2988	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp2608.tmp.exe
PID 2020 wrote to memory of 2988	2020	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp2608.tmp.exe

C:\Users\Admin\AppData\Local\Temp\87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
"C:\Users\Admin\AppData\Local\Temp\87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4t1lrrr\r4t1lrrr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2710.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABA6E78FBDE14F5989888CAEAB2383.TMP"
3⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\tmp2608.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2988

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
159c107fd08487bb3d3b18121ceab8c4

SHA1
bacf0634e95321c489fa9c04884f1a90696e07af

SHA256
5cfc2000d96e96a249f212e9b03c7d813906f983f3572879626f9faa684e1687

SHA512
b953a17ab8b5640bbbd1900083ac1a897f09d6522bff0952b4d55d5e9e8c1309d57dfe1093bd647630905d645dd2a246ff3444a40cccaa1fbc2ab324f843161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2710.tmp
Filesize
1KB

MD5
20d9937ac662acea0bd7aad5cc7cb37e

SHA1
029ee87f7e564a25b801228d09f0338a2bbee25f

SHA256
6376add1310d9a4da12731e60cb1fedd23a007666eabf3699e40487846b0dc57

SHA512
e5b0d1aa3aca5fc6117dfd2336913980e4bde22de845f81eb2e03bbb286808f68892337417643fd9cb06fdd035add19bf42ffc1dafcf1f9976f4f836e0f15462

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4t1lrrr\r4t1lrrr.0.vb
Filesize
2KB

MD5
21303903aa90e227af6bbdae014152b5

SHA1
9dfab9828827d9370b8c65641e9b1b5b77a2e4c1

SHA256
9fd46c542828c6dccd0aec7bbccc4601515d7ba61a3974d91cd0570fc30e1d29

SHA512
fd8ad92637aaeee6233a023f1bb162455f984cd52d36f97e34eddfcb5ed3ab5abb45c2feceddc91638e63e408b1e88bf4987f4aaa4997f50df3e27d3a841d0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4t1lrrr\r4t1lrrr.cmdline
Filesize
273B

MD5
bcbe2e6582f35d77681fa426746f1aab

SHA1
41381582c2c14ee9969538106fad16aff4d1dc08

SHA256
69b8eefcde014c16d41af84aefb6a7958b6dfd104e0c076adedd8dff78ec012f

SHA512
eb946469a791394c3d270b7bb8dac5066ded476cea8db080527940a881b38e1605feb9e8e4fbfd96e01fa7b4e0ed50726452e6a987256bf3ea58f3b638c428a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2608.tmp.exe
Filesize
12KB

MD5
2d41269fccac71b3a3c50ee004c70486

SHA1
70d802dfcf251d6f848b59404924e24043d37fe7

SHA256
812b73e41889a5f7bc5451e1418a7bc9b39cad62d9c45dc899286585edb97087

SHA512
6c0d675d577d90d3bc6653ced0d18155cf0bd7b36323a98dbe6ac56768674f79d1b93a715a62d0369dd31dc27a50ee9baefbdd2142826299bb4b895ff0dc5a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcABA6E78FBDE14F5989888CAEAB2383.TMP
Filesize
1KB

MD5
8f75f53ae7cee525e47f8fbe720bc97e

SHA1
41a64fc810d56d8eb2932b8b2575d3867880de0c

SHA256
bd79309a90be6ecd13074973363683ce6878f23ec3f694fdb659b092474258f2

SHA512
b5bf0f54326c71dacf497723ab5e3ce674e61b9a70ab46779f99de327e5399101c8da970a5a2c9d6843f74573c7708d9b1364cb8c7cb6de53194a075c2e9ee9c

Download Submit
memory/2020-0-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/2020-1-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download
memory/2020-7-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-24-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-23-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing