33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2

General

Target

33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe
Size

12KB
MD5

d589a8178b6b17128dd8eee5e8fd2a67
SHA1

01a3e9d01bac74e8c91e28f272fe1e1f2e0b540e
SHA256

33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2
SHA512

5dd7b3385538348fc1e058d5c54d5581680cda96a79763b6549f239eec01472f67f4db0e851703dcaf8c56f0633a5d93124d9a758c8a547130e7f131b70a497b
SSDEEP

384:KL7li/2zYq2DcEQvdhcJKLTp/NK9xaKQ:UEM/Q9cKQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

tmp25CA.tmp.exe

pid process

2720 tmp25CA.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp25CA.tmp.exe

pid process

2720 tmp25CA.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe

pid process

2228 33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe

description pid process

Token: SeDebugPrivilege 2228 33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe

pid	process
2720	tmp25CA.tmp.exe

pid	process
2720	tmp25CA.tmp.exe

pid	process
2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe

description	pid	process
Token: SeDebugPrivilege	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exevbc.exe

description	pid	process	target process
PID 2228 wrote to memory of 2900	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	vbc.exe
PID 2228 wrote to memory of 2900	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	vbc.exe
PID 2228 wrote to memory of 2900	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	vbc.exe
PID 2228 wrote to memory of 2900	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	vbc.exe
PID 2900 wrote to memory of 2660	2900	vbc.exe	cvtres.exe
PID 2900 wrote to memory of 2660	2900	vbc.exe	cvtres.exe
PID 2900 wrote to memory of 2660	2900	vbc.exe	cvtres.exe
PID 2900 wrote to memory of 2660	2900	vbc.exe	cvtres.exe
PID 2228 wrote to memory of 2720	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	tmp25CA.tmp.exe
PID 2228 wrote to memory of 2720	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	tmp25CA.tmp.exe
PID 2228 wrote to memory of 2720	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	tmp25CA.tmp.exe
PID 2228 wrote to memory of 2720	2228	33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe	tmp25CA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe
"C:\Users\Admin\AppData\Local\Temp\33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\egsmnw1p\egsmnw1p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D1B366589C64919877C2B80FF7068F0.TMP"
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\tmp25CA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp25CA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33cfec5a2b915bccc18218b0d050254b289430f21357b397ab4c6224d19aa0e2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
81b5ad21ad2f65849d669e20a8cba674

SHA1
f484b060a53c9648affcbb335017622788ff4658

SHA256
bc41b57e722500c85cc77c45b61fddd2d8d85995142dce4c77b9db691a4d9010

SHA512
ad84da235fb4c175212007b2edf697bca50b684f3e50fb552ab0c7e3687fb8d3d13d6838a6e821e48f2fe26eb732282e8626eecd42e3aad6d2cd4d825e4912ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES27AC.tmp

Filesize
1KB

MD5
f2f07c2ebe65d7d27461b7be51e58f57

SHA1
e90bd90364846373f260163283e8ce2dc7a828ef

SHA256
66962a459a9caa66b12369fcce09d55c57ffac4a68d096d96c9bd4462673dde0

SHA512
dd46e7303a123385e1052c37ea3932f78cd81dea30bc67ffda5f190c2c4a294a52570a83033dc81e8716ecac35c879507f096316e9a1ef235ec9f9d2305677d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\egsmnw1p\egsmnw1p.0.vb

Filesize
2KB

MD5
6252f0e4921e8db9b34eede2a158345d

SHA1
c6a6b8b82d5c1569bbbd2cc1fc075ac4fa013627

SHA256
e93d0e467b11d238458372b1c284e08c5f2864866732f9af1c341502b76b4847

SHA512
45aba360d97d15cadf9203bf59ee2da8614fef255efa9d721780c2dd5c7ad8f5c9d2ed3849d3c0cf51635b097cf91e32aaebb434ff5124c0c9549ac407a21b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\egsmnw1p\egsmnw1p.cmdline

Filesize
273B

MD5
744cab0b50ce58aea50973165a45a436

SHA1
03653005f2dade9b2115007b7008275cd64f049b

SHA256
5020a915ceb3d8ac5af53d7d59e088e5b904a9c53a6d58834c703a4c0011350d

SHA512
22ec8ad1e55a14107deab2f65b6c70a21263f2c33e4ca5f77a86abe757639f21e04f5bf3d6381e9d281788b40b24bebce5257037336eb2ebe16fedc12586838b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25CA.tmp.exe

Filesize
12KB

MD5
e7aad02dc635969db69508d619060f90

SHA1
47989a390b925c6df4b0ac0ef877e7cb67934801

SHA256
60b9a5af5b1e4d50dd0d6300afb3d983c0988383f50cddc11e761b61a16b02a3

SHA512
ce2f01afa31f169ad27f612af624ef5ccc3577ce49aeb2a042d211d0947206fec2c7966209a8b8e17d8d70d2a5779fc695b6f91e3be7d642319afa3e6828e077

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D1B366589C64919877C2B80FF7068F0.TMP

Filesize
1KB

MD5
ea1631a61dc71e8bc93db927f69ed32f

SHA1
66a43c26ab0c03cc8fb1d3da6eff59a6b221535c

SHA256
5c083d9366d2f1db7b736bc0ffea7a5a33b5f688c3d51a3f18af4f2baebbfeec

SHA512
9eeb76a9b3a3b279638632a8decc26fb05f8f99284749e75e26564905c61cb6d7a055f5fbbe26b22df0c0e560d41a595e403a3776edbeb493200caf746fe2fb6

Download Submit
memory/2228-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2228-7-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-24-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-23-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing