456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b

General

Target

456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe
Size

12KB
MD5

a28f2126263e0a3fd9a837a3f2f9da94
SHA1

e12be636deddb474ce521449fd915c58b6974586
SHA256

456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b
SHA512

a98b536a90ddc9e2dfd118b7e0a4bd8983d9fea793cd3a21472390c22e31936a0905fd10a32ea756e1a4333d4a5ce8c46a22fafa0f6395cbf04fcd75faaac03e
SSDEEP

384:CL7li/2zZq2DcEQvdhcJKLTp/NK9xaWY:cZM/Q9cWY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	tmp1C29.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	tmp1C29.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2388	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	28
PID 2208 wrote to memory of 2388	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	28
PID 2208 wrote to memory of 2388	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	28
PID 2208 wrote to memory of 2388	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	28
PID 2388 wrote to memory of 2548	2388	vbc.exe	30
PID 2388 wrote to memory of 2548	2388	vbc.exe	30
PID 2388 wrote to memory of 2548	2388	vbc.exe	30
PID 2388 wrote to memory of 2548	2388	vbc.exe	30
PID 2208 wrote to memory of 2664	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	31
PID 2208 wrote to memory of 2664	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	31
PID 2208 wrote to memory of 2664	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	31
PID 2208 wrote to memory of 2664	2208	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	31

C:\Users\Admin\AppData\Local\Temp\456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe
"C:\Users\Admin\AppData\Local\Temp\456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c11rujqo\c11rujqo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67E45BA8C9F46E1AFE94F886F415D51.TMP"
    3⤵
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe" C:\Users\Admin\AppData\Local\Temp\456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9b8443147e8d95a0a121a01da595b279

SHA1
b403e94aa353063b69a27f5b8b0ef830ea5c1a7a

SHA256
49ea19de0bb3fef9b3266c5bc285f7256bed503b26b9aa426165a93bce43fe42

SHA512
4f9f5189f1e491621f5ae45aa693d429e833254f622d9ef9ba85b8c0bfabffc49294b09b77bd24ddbd09634c687e3dc69cd35886d9adde4d4d899849887f8bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D12.tmp

Filesize
1KB

MD5
9652a4233d88ae2f5c25d33feaee69a2

SHA1
b97211c9145db0687398cba4396fd185c5398d1b

SHA256
b717277219f190f637337f7fa7a27cd651b64f0ee55b32d15c8d58b710e12df9

SHA512
7563b9099b06e12f149780b108f13a954842aa2b05b79c1d9c67e6c3a4b2e15487d83f38f46567add28857a4d74418a1bca625cd996ea70ee17f1f4f6d9ecd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11rujqo\c11rujqo.0.vb

Filesize
2KB

MD5
0ef9421226eca9b3e480854fc6db0bc2

SHA1
ff2fd160a610897c24fea1a6f66a95cf98ee4364

SHA256
51dee201ac3a8fd7d32897d8c329c85901e8a73fd8affff1ac39a969079ece9e

SHA512
c2407d560f7f447c19952aa456341f9606b7396bcd5ad003517c4d6d3f92675b681c574557b27be6d5f29b3f6f33262551f32044d5605f1b63152bdf74d9278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11rujqo\c11rujqo.cmdline

Filesize
273B

MD5
697f4b59d4bbc0d854d19444193cdbee

SHA1
5545ddb0be9f0925a881d15822f0b3f56de5cf94

SHA256
5c9980e29ec4b1e560d912b7ffa8a28118a3ba419c4099d2a24e5b40541ecf2e

SHA512
c13aff6b13bc7538d13f4eb263baecd040c8dbd2358d5af1863b9441b82c8ed845df5220ad525947be275f476a05fb3965b13672fb1e6ddf37820e68a703e7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp.exe

Filesize
12KB

MD5
2e4ff671a31332eccf0614df92a72c11

SHA1
185279a2183c3ad8968da76e26179d9f4bdda1c5

SHA256
0b9d1441d74e7dc772a1959467aeed164675cda581239e434616ebe9dce5b444

SHA512
28db4c7b833180356a930965f7b332d2e62dd2072b7bf5a56952e2cff2c0fc63ecbc2e027a9e7a9ccadb27b18693a51eb4c89a794d27c0e3f2765533cb0c12e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc67E45BA8C9F46E1AFE94F886F415D51.TMP

Filesize
1KB

MD5
a1e3423cf1db091354f064071d93e8e3

SHA1
b6db0b0ae5a71d5928c90fd56b31ab3c3f08b52d

SHA256
01b39dd574839a1130d41a37ea987ad6f9a1099954239d12a9c781f8997a47f4

SHA512
ca86f9ced0d46ae966f7ecb4cdaf7fa6f2415b8a2b14521469b9b6e8e20cc83953f5b79ce21dcc67295e2735ac7e8798bf5213663e2449e002cebac77458113a

Download Submit
memory/2208-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000011E0000-0x00000000011EA000-memory.dmp

Filesize
40KB

Download
memory/2208-7-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2208-24-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing