9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241

General

Target

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
Size

12KB
MD5

9d76d6a5d258d87f04b6db88d63c24bc
SHA1

9c84b644f75ce351860104b61551ca9223164b5b
SHA256

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241
SHA512

8b9588178bbf7c08a935eab80e924f1e82ead40c50fa3d9ec51bd0efe8c6df59083957fc12a6db116e9e583ba16c926cb18e5219a9b1e81844ad263e1eec6384
SSDEEP

384:rL7li/2z9q2DcEQvdhcJKLTp/NK9xaaP:/FM/Q9caP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp1B2F.tmp.exe

pid process

2844 tmp1B2F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp1B2F.tmp.exe

pid process

2844 tmp1B2F.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

pid process

1920 9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

description pid process

Token: SeDebugPrivilege 1920 9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

pid	process
2844	tmp1B2F.tmp.exe

pid	process
2844	tmp1B2F.tmp.exe

pid	process
1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

description	pid	process
Token: SeDebugPrivilege	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exevbc.exe

description	pid	process	target process
PID 1920 wrote to memory of 2576	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 1920 wrote to memory of 2576	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 1920 wrote to memory of 2576	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 1920 wrote to memory of 2576	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 2576 wrote to memory of 2856	2576	vbc.exe	cvtres.exe
PID 2576 wrote to memory of 2856	2576	vbc.exe	cvtres.exe
PID 2576 wrote to memory of 2856	2576	vbc.exe	cvtres.exe
PID 2576 wrote to memory of 2856	2576	vbc.exe	cvtres.exe
PID 1920 wrote to memory of 2844	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmp1B2F.tmp.exe
PID 1920 wrote to memory of 2844	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmp1B2F.tmp.exe
PID 1920 wrote to memory of 2844	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmp1B2F.tmp.exe
PID 1920 wrote to memory of 2844	1920	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmp1B2F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
"C:\Users\Admin\AppData\Local\Temp\9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gvinb3ko\gvinb3ko.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64086E0172A849FB9FCFF3D99E31426D.TMP"
3⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\tmp1B2F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1B2F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2844

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
09cbbe46f817ba331122172d69525a8f

SHA1
b0d2b3283915c865233c793c5db76dc13e7a00da

SHA256
bf09afc1059ae3dc8dc763ded1e92fc6795d0a272c2a6e047e797dafb40e72fd

SHA512
c20378c44bc6b7e7bd4af93df8af2b86956591c9733ca9ad1a2579fb735e269958b04a1c6857906c14232d81313c3b08935b5749c642ebab62bc4dddf5130f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1CC4.tmp
Filesize
1KB

MD5
03426e26f841c7a6d7924faad2e9c9bb

SHA1
6c2e209803aa2a164d91f0a67e95a53976ab2c26

SHA256
beb23b5922f41d0e9b1d8917e565dca70c1d36d84a5988e2bdba78c6f9b945ca

SHA512
e7aef4185beea12dee99615101714532ac83042d6dc237f5f53deadbdd46a0dd4b7b1fb2ade8365017bbd9d89a3be2cc15414c33aaf3d966aaf0c5d36a4d4d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvinb3ko\gvinb3ko.0.vb
Filesize
2KB

MD5
7214ca73f0c733f3d62abf4361e6071b

SHA1
e92e02da2d94b56d15c8da875f334096555e6151

SHA256
24fac5dca4895024386117331907cb15d8e98b853df1ba53d447c4d77992a3a5

SHA512
4cf0e7714b24e1c5efef07bfd6f16c9c52efb75f7e70b9864ff890a1d90a49e70fe755f521793e3b0681ca722696767e3d0900efab8bd1d73ceee736b8008d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvinb3ko\gvinb3ko.cmdline
Filesize
273B

MD5
a3568f2924f77fc87008398f065bf360

SHA1
8d05327c4a99eef37459e1c93aa4af54559e772b

SHA256
3927866f6a92d5481dc486a2a35bdc219f7d01c9eab6ed55e6779a69b2cfd823

SHA512
4057cb914fd266fa46f91ed9c5be469eb98858c9709fcb875d8f35bb515b69eb2efb3d65eb1d394b92a68ff2b239e9d53888c078eb15ff0d4f5fead4ff95bcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B2F.tmp.exe
Filesize
12KB

MD5
da42e31bf5097990fdb38d8ceab88c3a

SHA1
1edc1e8024dd30d44dcd629f59a446ddb3c55d76

SHA256
630b387ffe1fae50003e135452a93c4fb361f2db4c8b07ed7c9bfd0d78fbad16

SHA512
b4ae2881c7d7297bacaa660a83c5086d13500ce7e09409acbd6f51966688ff6245956e8cd3aeb0bbcda2b812594476d4d43e260834cd4e353e96e9f1c96136aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64086E0172A849FB9FCFF3D99E31426D.TMP
Filesize
1KB

MD5
c30d4385484003f83e56fdd8bb4a3dce

SHA1
606377530027c34afb8db5a714c60592c247f1bc

SHA256
9663642897fdc97b385a9a58a9961ea09c51078317a59c7a1724480a9ce5b709

SHA512
e87772e5e9807b72e6547c53d7843f6b86fd91e9f3f2e4aba64e66ba86e3acf6fa62a515f7a6a42164f986892136e8f03f82c74b90ded78c148021cb48dd10be

Download Submit
memory/1920-0-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/1920-7-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1920-23-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-24-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing