8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83

General

Target

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
Size

12KB
MD5

0933031630e50ec92eef7af126b1dd3f
SHA1

d53b767ce9430f0f061a1b943382eac82dfb9664
SHA256

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83
SHA512

c9f43e5ea9d56e4b937f51d22d89d6cc01b2d2510c326d36f2e37671173ae7e771072819ce91a1bfe7cabdad892d2973097744df64b3335e916d18708b689d3e
SSDEEP

384:dL7li/2zUq2DcEQvdhcJKLTp/NK9xaqI:NIM/Q9cqI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp2D58.tmp.exe

pid process

2644 tmp2D58.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2D58.tmp.exe

pid process

2644 tmp2D58.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

pid process

2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

description pid process

Token: SeDebugPrivilege 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

pid	process
2644	tmp2D58.tmp.exe

pid	process
2644	tmp2D58.tmp.exe

pid	process
2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

description	pid	process
Token: SeDebugPrivilege	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exevbc.exe

description	pid	process	target process
PID 2128 wrote to memory of 2476	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 2128 wrote to memory of 2476	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 2128 wrote to memory of 2476	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 2128 wrote to memory of 2476	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 2476 wrote to memory of 2412	2476	vbc.exe	cvtres.exe
PID 2476 wrote to memory of 2412	2476	vbc.exe	cvtres.exe
PID 2476 wrote to memory of 2412	2476	vbc.exe	cvtres.exe
PID 2476 wrote to memory of 2412	2476	vbc.exe	cvtres.exe
PID 2128 wrote to memory of 2644	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp2D58.tmp.exe
PID 2128 wrote to memory of 2644	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp2D58.tmp.exe
PID 2128 wrote to memory of 2644	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp2D58.tmp.exe
PID 2128 wrote to memory of 2644	2128	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp2D58.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
"C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdwlpskx\bdwlpskx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc867E029284FC4FC5917481A7EE3A1F0.TMP"
3⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2644

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
f77602eeb5dfd8d5331f89b51006957d

SHA1
1d3eeddd01c7c1acece87b7d4c2f3ae3ee15d49a

SHA256
5159b2149ef7241ac000f83f99020b1b74853f6ad93edfef4bd22341335d6f98

SHA512
99a847781f0450b99ff52492aed8c53e45248ff2b8a4a947833a12baebb1b6365506ab5afb2a133466cde7168e39cbfb196510b8b3e0670749301d686dd6b2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EED.tmp
Filesize
1KB

MD5
641a2d629de0984b1b916e3cf2be48bf

SHA1
e15bab9154e62e08b66273818446dc2ddc59805a

SHA256
1a7b0c3a518031e8dc66efe5f7e5d48200c0fdb9e86b2d1263bbbbff3d2e3748

SHA512
e1122bfc66a3ad1f995ebc6aa38012a2debf99d89dd7331366aaae39ea723ba7d01ddf479745a30aa89a123e67ab0821e398eb6acf9a401c946c55dbea5172ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdwlpskx\bdwlpskx.0.vb
Filesize
2KB

MD5
78688011e7bc26f5b0ecf073d20301a9

SHA1
c6e054b132eb32b289cca8648d1e309ce55ebb82

SHA256
a2e10214d5f3563077f786ebd7fc986fba92129384e3635c833d8d29717aded5

SHA512
1b465f2774f386d0a0fd0477eca17748dea1ecd22185e7a1e5b59f7155e3e868d8671dfaae0bfa8aa26efa5690285c23fde44cad3d910c3558c5ba56251528c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdwlpskx\bdwlpskx.cmdline
Filesize
273B

MD5
224147f6728c671cf6929c67605ab6cf

SHA1
f763b2eb6478e2a46a5a38ab8c30b4105bc3d448

SHA256
b02fb3734f30dfb29a6f7f2ab7b5ea069f8bb6330bf7cddb160e037cffd881f7

SHA512
d5b2f71e44db406f798fb2cefac7549fe67db14b9c48603ee3ace07f8a31c28c8e403ac58ee8a2a1bfdcc5567e40ff9749ce11cfe2383be7fcaa9c78add1a7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp.exe
Filesize
12KB

MD5
2c2baf1aa49d2c9a6f851045d40c8b63

SHA1
edc1fdbeaecf252d06d00e213a1a5854116ecccb

SHA256
142d6be64fa548060c85cd83fea4fe089aad4fdc3beeb4b67c08b90a748fcfc9

SHA512
62549b4e730f951e17b8deba725e9ce69d3ddeacae750810e994e326dd5eb5b6d7801416f71b2bd3a12456471e493b628d64d1e0a3cb69809bf29cec0aadaf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc867E029284FC4FC5917481A7EE3A1F0.TMP
Filesize
1KB

MD5
abb933a2f3f97df8cd7bfe14ca773501

SHA1
2e2bec1732e96ad8f99786939a1a7ff2ebdea8ba

SHA256
fe7e1707558a6e832f37a413ac78f64488f57466c8f77f4602d1cb26a6547024

SHA512
fbba4c7040b41c2c3026d5ce2c6402014a03a1baa1c3b9ca4fe4c464aba536d2bbe072579335b4942e9e30dbfb8dd0b305012c8c00b1c4cb630bf464ec6de280

Download Submit
memory/2128-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2128-7-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-23-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-24-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing