8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f

General

Target

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
Size

12KB
MD5

a935ad05746b25a6bea9be4bc7e981f3
SHA1

ca41c1f91d4af77347d7516cd2a20775e82f0eec
SHA256

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f
SHA512

981b3278cc1fa648ff9c19a88a60660d1190dfb18a6dbaa01dff93595f46aec415b71e7e905e2c7017d26c059759e3a2a7e9a3546fceef3ab1931eedd7ecfbbd
SSDEEP

384:+L7li/2zEq2DcEQvdhcJKLTp/NK9xaHJ:o4M/Q9cHJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp985A.tmp.exe

pid process

2568 tmp985A.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp985A.tmp.exe

pid process

2568 tmp985A.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

pid process

1440 8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

description pid process

Token: SeDebugPrivilege 1440 8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

pid	process
2568	tmp985A.tmp.exe

pid	process
2568	tmp985A.tmp.exe

pid	process
1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

description	pid	process
Token: SeDebugPrivilege	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exevbc.exe

description	pid	process	target process
PID 1440 wrote to memory of 2352	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 1440 wrote to memory of 2352	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 1440 wrote to memory of 2352	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 1440 wrote to memory of 2352	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 2352 wrote to memory of 2628	2352	vbc.exe	cvtres.exe
PID 2352 wrote to memory of 2628	2352	vbc.exe	cvtres.exe
PID 2352 wrote to memory of 2628	2352	vbc.exe	cvtres.exe
PID 2352 wrote to memory of 2628	2352	vbc.exe	cvtres.exe
PID 1440 wrote to memory of 2568	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp985A.tmp.exe
PID 1440 wrote to memory of 2568	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp985A.tmp.exe
PID 1440 wrote to memory of 2568	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp985A.tmp.exe
PID 1440 wrote to memory of 2568	1440	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp985A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
"C:\Users\Admin\AppData\Local\Temp\8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctznmppf\ctznmppf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20B36DDFF6654F969988A1BCECCACD4A.TMP"
3⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\tmp985A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp985A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2568

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
e358cce51112cded9ca862519874ac9f

SHA1
9bf3b210e5e9a866e3088a6d0b0854a231d40a98

SHA256
cc7223df1cf61d990cf269f0ff602ff54cfdee72c49ebe1a4482e04a782becf4

SHA512
dbb06aec2c25a40783f648322ab44af2c867f129d7502897d4e71aa28a3d493fe9ac27a7333d924a2e0b1776976286d80210ff2b23e4f4be739a76b082a43b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C9D.tmp
Filesize
1KB

MD5
b76041174c819c43a45e69ea4a0a853a

SHA1
8e957afdb0eca3ea8552160539beb90d9a41b88a

SHA256
5543aea196aa326240fcd03388c521178b21a12da35e71cb6482d22748921fe1

SHA512
f8a4e5f4c10f94ca130d642256f79997de85e1689043fbb726ab99060d45fe0f6b054b369a06ed0a536997a6d772a92b7c86b3cd6014995299e728f0cb0f763c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctznmppf\ctznmppf.0.vb
Filesize
2KB

MD5
05df6affd6480dd16113624408509d97

SHA1
36b3b67782376b702b78fbddb805b8e9874bfded

SHA256
c975f7febd0840868da219f5965aa72753725aa389e7d27636fdb7f4556e92e0

SHA512
9a6b66672ba04dc295ae5cf01579c7715500c36208d4f466efc89cc1f6a721b7dbed9e2f497510781695206d6d8b8e48d21722d656100acd7fcd49ac0c193fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctznmppf\ctznmppf.cmdline
Filesize
273B

MD5
a84c8e20fe58e859d021135ff1cdee2e

SHA1
06e08c7a019cfe6b96a34f525a02bef687ba4690

SHA256
adc82f7366473576e113dd3c9f5f37da1e5581fac1a7a1e6c27b7f087e79a7e2

SHA512
0bd7e37f539a07c3202ed83c5363c62ada01a8c3b5c4bd25da471c3f22482351e0f524b29420f0aa4bc1795325b9044e3110fed7a81589ad96cd7057b267c995

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp985A.tmp.exe
Filesize
12KB

MD5
31f7bded6863d2f5f5c0bc560879864d

SHA1
99e6e39a0ab1be4b8e6fbe22338f0f71b33d1a91

SHA256
1415d7116e82c853ce0269a5868fe118b198f3d6c44f885f81948d65636b436e

SHA512
9d04b46e706e02a977f5e8715dfd8d033c7ffb1fbbe548bce9aa753c4943cca16dca23ba7deaac9896db437742241edd6138d3c2217c9f605282c3679826f477

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc20B36DDFF6654F969988A1BCECCACD4A.TMP
Filesize
1KB

MD5
ad1957edc9e22ec6e2730face80ec3ef

SHA1
f4804b8fe07ead4f78f554c893f5ac4b14a77ed0

SHA256
d672accc67d57b815d070def7a8ee048055b79beaf5d9dd43024ba60f3ac4653

SHA512
c8ff38927d627f7f45ac57fd32ef336d5a254744cae50c1f65371a8eac75174cd9725f7a890b6dc504a192868ebc35bccb319a584ad41fe67996029ffb0edf47

Download Submit
memory/1440-6-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/1440-1-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1440-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/1440-24-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-23-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing