15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67

General

Target

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
Size

12KB
MD5

27059e1cd993cb056f0855acb2f17710
SHA1

96fa4275e67a611e234cc562395e3ca3e2345f6b
SHA256

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67
SHA512

5170524a135b3bb65bad2dc724830ededfd5cdb3200085e7560c20b7275a777abc583973820780c55b6084c317ac825a75b70ebf6e4b5f990c14e3fc66f199f6
SSDEEP

384:6L7li/2z7q2DcEQvdhcJKLTp/NK9xaQ4:kHM/Q9cQ4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp764A.tmp.exe

pid process

2628 tmp764A.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp764A.tmp.exe

pid process

2628 tmp764A.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

pid process

2068 15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

description pid process

Token: SeDebugPrivilege 2068 15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

pid	process
2628	tmp764A.tmp.exe

pid	process
2628	tmp764A.tmp.exe

pid	process
2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

description	pid	process
Token: SeDebugPrivilege	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exevbc.exe

description	pid	process	target process
PID 2068 wrote to memory of 2152	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 2068 wrote to memory of 2152	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 2068 wrote to memory of 2152	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 2068 wrote to memory of 2152	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 2152 wrote to memory of 2640	2152	vbc.exe	cvtres.exe
PID 2152 wrote to memory of 2640	2152	vbc.exe	cvtres.exe
PID 2152 wrote to memory of 2640	2152	vbc.exe	cvtres.exe
PID 2152 wrote to memory of 2640	2152	vbc.exe	cvtres.exe
PID 2068 wrote to memory of 2628	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp764A.tmp.exe
PID 2068 wrote to memory of 2628	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp764A.tmp.exe
PID 2068 wrote to memory of 2628	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp764A.tmp.exe
PID 2068 wrote to memory of 2628	2068	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp764A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
"C:\Users\Admin\AppData\Local\Temp\15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vitph5es\vitph5es.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7983.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FBB7CE27684AFC872598DCD6CAF37.TMP"
3⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\tmp764A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp764A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1f125993fb67919f05d4abd9dcf8be89

SHA1
bd28f6f6b955cdc4e843fc1e881bf2c75816d86f

SHA256
343b7f74cfc37afc70781597367db41cba78a2de5c5d179b708ce55e4af028fa

SHA512
449214cd1a2cb088454819a163cb6d7cb1b638ea5d21c06a91a1f829a0ff96c95e3b492ddee9141ba13d1a285abf1186c814eeb2a4255247aef79b01d6c20f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7983.tmp

Filesize
1KB

MD5
757c965b69dd5e5013767b6395042627

SHA1
9f50181a5e7525bb2b71c0819a524f24048ebfb1

SHA256
e744a10c6a3cee12ffdecef2649560061b1e962f48476195d41db854e1ed9e63

SHA512
7d1c108e276468758087d5bdb04b6ef85668af5d347c6a4c856fc220ec02d83a10490153816cddd352371d063b5aa05461ea49b1cf03885ec94192e1a92a33fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5FBB7CE27684AFC872598DCD6CAF37.TMP

Filesize
1KB

MD5
3aa12d69afd1d25859ae52c7286007c7

SHA1
342f34dcfa7767c8a8d154cad6d70bbe785b62d2

SHA256
972a971b04550078372c45b337baee12d9cd3be6999af5ffb75a289cfef83017

SHA512
6034908eaa5254a2a3609353d79f1fa7047f79a35fe6592d155516712973cebd75817e403fe66cfdc39fdf4a91b8fba4d2189fa4b0db836ec3ca7f40c967027b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitph5es\vitph5es.0.vb

Filesize
2KB

MD5
b082802b88970f304e87f38f37501399

SHA1
3189113011b265600c27a89c9b22568b3b5a755c

SHA256
354b2300e844035c60848bba44c4f9bcb2b069f94af5b0521c3fa22b16939251

SHA512
a325b85fe478d075625b5dd34ba6e58e89ac0bedfaade2bcf8632a3ea5b98c9834a01c6e42b4074d8821474870b6baa5d7b937edf271da938d3ed9d1a82b006b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vitph5es\vitph5es.cmdline

Filesize
273B

MD5
49a430a546ecfc22163b060d159844d3

SHA1
e6b2bec626b650033416d0b955561b78fd10485b

SHA256
cec594935d7b8b0bff3542e123ef45455ff1581bd4c310b1e36bbb3dbf380ba3

SHA512
e0c983a8706a073ee82c6e473f15de92544aef9883597f8a8b1884427da038bf20c5a6ccc7fc5ce6454ed7402535dd266b53ec68c2780c81749b1af31361a1b5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp764A.tmp.exe

Filesize
12KB

MD5
7dfc30ce21686fd4e65b9a47ffa1e776

SHA1
4c6a49dff7eca23be116057e3739f4bf3e9444cb

SHA256
c568778aabc1e03263b115ad2dd54a1bd400a9016722801b080bcc92bd625bed

SHA512
445e1c6df438814b47a1e4adee9bbf2bd972e32743aa2bd1c5ab773bdbf7f7e82da280db035149800127b51fe9755805b20718faaa5581ae912650830741fb95

Download Submit
memory/2068-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/2068-7-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-24-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-23-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing