8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af

General

Target

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
Size

12KB
MD5

c517370ce66c2d93a01f0d2a72fabdda
SHA1

02f8c4bd2e0864c9b109eff569fe31fd313f27db
SHA256

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af
SHA512

1ff4dfea15080f9843a8f35b51ff6a40f23f1802569e982f3d15f71d13cf74685a7ba7fd3e6101657582ed07a607a833e100f7df584279b6250308e011f7eb00
SSDEEP

384:BL7li/2z5q2DcEQvdhcJKLTp/NK9xaxm:hJM/Q9cxm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1C48.tmp.exe

pid process

2744 tmp1C48.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1C48.tmp.exe

pid process

2744 tmp1C48.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

pid process

2888 8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

description pid process

Token: SeDebugPrivilege 2888 8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

pid	process
2744	tmp1C48.tmp.exe

pid	process
2744	tmp1C48.tmp.exe

pid	process
2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

description	pid	process
Token: SeDebugPrivilege	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exevbc.exe

description	pid	process	target process
PID 2888 wrote to memory of 2392	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 2888 wrote to memory of 2392	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 2888 wrote to memory of 2392	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 2888 wrote to memory of 2392	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 2392 wrote to memory of 2632	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 2632	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 2632	2392	vbc.exe	cvtres.exe
PID 2392 wrote to memory of 2632	2392	vbc.exe	cvtres.exe
PID 2888 wrote to memory of 2744	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp1C48.tmp.exe
PID 2888 wrote to memory of 2744	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp1C48.tmp.exe
PID 2888 wrote to memory of 2744	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp1C48.tmp.exe
PID 2888 wrote to memory of 2744	2888	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp1C48.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
"C:\Users\Admin\AppData\Local\Temp\8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gbgbesjg\gbgbesjg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD506A9AC777D455584C6019A0F0CFCD.TMP"
3⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
bf65574a91f6177bd9e525ef69664b34

SHA1
4dc69bc1dec5b6f70b3b0e3103a56a77a033ac27

SHA256
5b30d2fdae02c5f0e7218b9dfff0e87cd8cc4d14bb4017b1e7e1815500d0d49b

SHA512
c55c32d606adb6fb1871cf540808524dfd109eeac87b651f1afce37fd446ec574502ab2c940a82bf62a65bbfe1388a6ea68b10f82c05445b9419367accf21329

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DDD.tmp

Filesize
1KB

MD5
96f5f989834fdc7f489c2dd897f7f155

SHA1
8b126f29340c116b9cfcab54c639439b75d858dc

SHA256
3d7ff04dfeff36e220803f39bdb76e1c4fb8c4c22b1a1a228d3d9f35914eb097

SHA512
f84fa5b7ec66f788293cb5b7a58992bd3ebd6a151386af00d1c5b5e87594041ef2acf18cb817ea633765a44eb00c4c63a577751cb92e58cd6c8767865af56b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbgbesjg\gbgbesjg.0.vb

Filesize
2KB

MD5
ce9c2303a46a8c9cf309ec1c66a120d1

SHA1
4a759f2e9afc1efdd612b408eb23d18028fbd53a

SHA256
919daf2cd48fbf849cbc15f12d94bd985fac4aa55703e43a2b625dfbab62dd5f

SHA512
bce2ca6205573996df0972c9d3780976e4caaf20972ec3eda7fe32969f53fc4744cd0aa16341d7cfd537daaedfba6916ac387c21f7844ba2fa3fbf75c9d64f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbgbesjg\gbgbesjg.cmdline

Filesize
273B

MD5
0a0e63c77e0ad58cf1ad7a8c3b4c4d56

SHA1
f3fb198d2943c44f4a8d42def5130a95368f4d22

SHA256
0f3e3d05d2c5d32773f51b1aa2b4bf31ecafba9140b373262ac7b4c985df92ad

SHA512
1d1404e0ec49f571eecb44fc710c0b532706a072af9a103e9a954ff9980f7f4aeeae1d1a9acc93d25e16f6a6cb67928862df3d12184372940b6aedb3d28a5c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe

Filesize
12KB

MD5
453290d89a011f553c4d5c4bb5388e06

SHA1
fe67ceddcb8583904f1bdd026328a018217e259c

SHA256
5e00782de639b2744b49ec9befa0de208a0f2f9d32553d247bc20403449592d2

SHA512
ec7e065d56dc513e45180e6f34f1217f0ccba66f90d34c5288f7c3be7fa2bf595e2814877dc6852ec5e5713d0bd0054342b381d311b46f422c07a51ee496698c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD506A9AC777D455584C6019A0F0CFCD.TMP

Filesize
1KB

MD5
4cfadaece817be7c0aeefc0838945933

SHA1
da13ae7eb3708bb67b6b5929f677a6fdfa3556b8

SHA256
cccbaaf9b86b67450f421418621afe4acb8e10a26f42c73fb418bd0419926da0

SHA512
884e412d8d2d9a6811706abfd84a9e6c01e4e15abb0fc9c4ef4a35564c85cbf24db647bd91e630504a93cb45735adeb83ce83423f879f0ef427fa092668d6408

Download Submit
memory/2744-23-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/2888-0-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2888-7-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-24-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing