82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606

General

Target

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
Size

12KB
MD5

97c2f337efefa97a8cc9be6905cc0d64
SHA1

bc9bd8206209c63dfbcdfab3e833463e81fd78ae
SHA256

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606
SHA512

6687aca0ca95953340076b2b55e82c6ddad460cf950a63784ecd979ed72afe0f644538523916d69ee39ce2a9b878a559ba534da21ed4bcc474b23cb98f017979
SSDEEP

384:1L7li/2zCq2DcEQvdhcJKLTp/NK9xarU:VSM/Q9crU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp124A.tmp.exe

pid process

2588 tmp124A.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp124A.tmp.exe

pid process

2588 tmp124A.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

pid process

1396 82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

description pid process

Token: SeDebugPrivilege 1396 82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

pid	process
2588	tmp124A.tmp.exe

pid	process
2588	tmp124A.tmp.exe

pid	process
1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

description	pid	process
Token: SeDebugPrivilege	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exevbc.exe

description	pid	process	target process
PID 1396 wrote to memory of 2976	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 1396 wrote to memory of 2976	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 1396 wrote to memory of 2976	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 1396 wrote to memory of 2976	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 2976 wrote to memory of 2644	2976	vbc.exe	cvtres.exe
PID 2976 wrote to memory of 2644	2976	vbc.exe	cvtres.exe
PID 2976 wrote to memory of 2644	2976	vbc.exe	cvtres.exe
PID 2976 wrote to memory of 2644	2976	vbc.exe	cvtres.exe
PID 1396 wrote to memory of 2588	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp124A.tmp.exe
PID 1396 wrote to memory of 2588	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp124A.tmp.exe
PID 1396 wrote to memory of 2588	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp124A.tmp.exe
PID 1396 wrote to memory of 2588	1396	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp124A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
"C:\Users\Admin\AppData\Local\Temp\82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h20hmpv3\h20hmpv3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1371.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10D1870CF33E448EA74911368A97D59.TMP"
3⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\tmp124A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp124A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
291ce671e59dd15cd582a80bf5f766c0

SHA1
90a82ccfed533d1fdbc118e9706bb8eac1c5cdd8

SHA256
a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253

SHA512
c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1371.tmp

Filesize
1KB

MD5
c62b268d1afe8a0bc08eb830f6a411a4

SHA1
3b1c004f6a1ff2c4330238c8b903d05f6c1de427

SHA256
c7211009dc4036f592a5d0ffeac4570fcdf7b5f6f17c4c5f655ab6f7735469de

SHA512
c48dde9f4a627eda93333ebb39d3426b572dc18ac9840622efbdeff71e6dc8bdb206960b31ea2f65b19fb0bbc54a2721366ef35538a42c4fc3f12cb8218e0520

Download Submit
C:\Users\Admin\AppData\Local\Temp\h20hmpv3\h20hmpv3.0.vb

Filesize
2KB

MD5
c8dbd612fdbaf98e936d6940e4fb9d08

SHA1
187b6e0f04ce21596e707486b204ac489e26e785

SHA256
9a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04

SHA512
c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h20hmpv3\h20hmpv3.cmdline

Filesize
273B

MD5
ea6a255b10cdc620724e4e1f17fefd14

SHA1
99795e8e81a5bce8d5e53ac810b611f0ed72ee06

SHA256
5ccb4e37cc1a8fa89757fa8924e952c912d7de864a609e994860be48ddcac733

SHA512
66d9a6cded5672bb2164784f39fdf57c6af5d5d9ea245360e65a8c50eb1dc58c19fbdd70008543cb0db0aa1893fa5f8903fdcb67685a37f7d43226046c7af23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp124A.tmp.exe

Filesize
12KB

MD5
dec7e0c4ea2ba4a0aa86f540f35510d6

SHA1
14284a7deb86e544a552055760a67d68e3d507d0

SHA256
831f811eae439f1f21370dec3a338fcd7ff9dee44f10b7cea899fcc2048a9121

SHA512
db3e2414835acf26991cd4ed0b39c4fc0c36fa167756f2e276e219737a9ebe42efff858a4c8bc649e9f17e813b3f6654241489dc9e4484f8cdb6e2fa01b2c1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc10D1870CF33E448EA74911368A97D59.TMP

Filesize
1KB

MD5
aaffeb1afd87fcb2e5e50a3b2d8ec7a0

SHA1
3aa7bfdae80de18877a2002d8e16974dd34a3c5d

SHA256
3b1046fd64a6e1feacb32cebec52d40f16a95f7b4121f842766a228f467f268e

SHA512
d30395d516d2b29777a5ff4773eb67fbb826dbfd677e3fef36283f131b9cf0afafeaa0402c6809a202eb7e5891ea80d529b1f700c10ec4026452e98b2b27a9c1

Download Submit
memory/1396-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/1396-1-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/1396-7-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1396-24-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-23-0x0000000001350000-0x000000000135A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing