14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a

General

Target

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
Size

12KB
MD5

04ecdeca7a854a055635a3cc7e0466a0
SHA1

29574fe29abfcecaa893a593f7c6854b64d24e22
SHA256

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a
SHA512

286202f5979ae2fc9a87ed64983686a008c678e4c7c951797822323e89bcc03ca31a748c04d5b4330e8dc5f2e4e23c078329704f8fbb1f609ea439d7a6ffc02d
SSDEEP

384:SL7li/2z0q2DcEQvdhcJKLTp/NK9xa0b:MQM/Q9c0b

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp252E.tmp.exe

pid process

2664 tmp252E.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp252E.tmp.exe

pid process

2664 tmp252E.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

pid process

1932 14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

description pid process

Token: SeDebugPrivilege 1932 14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

pid	process
2664	tmp252E.tmp.exe

pid	process
2664	tmp252E.tmp.exe

pid	process
1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

description	pid	process
Token: SeDebugPrivilege	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exevbc.exe

description	pid	process	target process
PID 1932 wrote to memory of 2272	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 1932 wrote to memory of 2272	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 1932 wrote to memory of 2272	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 1932 wrote to memory of 2272	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 2272 wrote to memory of 2608	2272	vbc.exe	cvtres.exe
PID 2272 wrote to memory of 2608	2272	vbc.exe	cvtres.exe
PID 2272 wrote to memory of 2608	2272	vbc.exe	cvtres.exe
PID 2272 wrote to memory of 2608	2272	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 2664	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp252E.tmp.exe
PID 1932 wrote to memory of 2664	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp252E.tmp.exe
PID 1932 wrote to memory of 2664	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp252E.tmp.exe
PID 1932 wrote to memory of 2664	1932	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp252E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
"C:\Users\Admin\AppData\Local\Temp\14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\atdwf4px\atdwf4px.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4C4DE23BC7B4DFFB7BD4E3DD480DCD7.TMP"
    3⤵
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\tmp252E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp252E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5a9672964ade6afe248aa1e9cc31d0f6

SHA1
13f1762a874b311e288d2052cc17fad51c389908

SHA256
73277a4050310ca5dc35d635e3e23a478a86c8feb05c2cfa9195631f5bd013d6

SHA512
8a6da96f84be8f3418194c9fb05a65cd604ae2e5047def8859594c71b9020b2b56e3647f68894d7813b7a9f591658f6dfad0c4841fd3e9bf6312b835bd86e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES26C2.tmp

Filesize
1KB

MD5
95522cb0a8eed0212a835a461560759f

SHA1
b657dd13645538083e5533fa0d6ca1975217b132

SHA256
2a0e2186769f653931c09ecced45d46ecf6807c16450a55673056a9aef918dd9

SHA512
ba5eea5b28153440fd67759e36c1ab3ee8597725f9dac3a76f297cffc7ff22b2e6968599ccd88306f72a5b4e234b695260decf60ec4fc6ebd69be6690df40c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\atdwf4px\atdwf4px.0.vb

Filesize
2KB

MD5
44f4e37e82306b372df790282d7c588b

SHA1
18756b087d72bc29ae9795c65ebd1d483faa7ac2

SHA256
7ded6796f11d2549c3a9c28e8d71d0afd940822028154cba91cb8e1cf9d6f158

SHA512
03a874361ead4fffde526a65a43ebdad0573a188df6e30beb04eadadefb514071340e225d2daff2f05e8d808d8ad6dd39f21b237b710cc216367bbab0c96f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\atdwf4px\atdwf4px.cmdline

Filesize
273B

MD5
9ab5425da83ac381ff3a80d6dbdd532e

SHA1
00b26bea39dfcb2688ee04180102df509ba3e6b6

SHA256
403bb599955cb361dc4d2b7da168021349d591d2ae4d74645bb8d1968ccfe2d7

SHA512
1361ffe361957996a88e390946dba8ae439bddb5acf4773c196366044a1da3c4c6ac336a7b89d0690a51b43e9e60e8a55eaac72892189968abf107eea261434b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp252E.tmp.exe

Filesize
12KB

MD5
c57fa1cd20490dcfd8ac10f3ff8b2904

SHA1
71d102944b2fcdd15eeee8ef0a1358eaa63349c2

SHA256
d7129eb7010ba1b694caf3c51ab7fb120210c0c9a08fa2f343dc660ec7705b97

SHA512
457eaf2ff75dac090474a6ec27b948737a26c34a9d35500253f63ce1d4e2dd8aaa500ca46d20ac174193408dfc200de05204da28454cf487d4f712d6366a4207

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4C4DE23BC7B4DFFB7BD4E3DD480DCD7.TMP

Filesize
1KB

MD5
4223a689f3e0796b79322961ffbd37eb

SHA1
baa276c284920ecb2800252f823460c4458c21d1

SHA256
2643820feaa247caaa8bab1b38f78ee7cf0bb89aff865e9545b4089e5185fdbd

SHA512
1b9f9833b2e015829f0984ac477c6b4389cf9cd4b54d29d312d1589faee8ed8ce0a1da041d114f277bc6e89cf8d829cb172243676910ac14d201aa551e9ba943

Download Submit
memory/1932-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/1932-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/1932-7-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-23-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-24-0x00000000012A0000-0x00000000012AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing