500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643

General

Target

500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe
Size

12KB
MD5

53335690625b494f72175ced190dd98f
SHA1

b6a551af6abd1ce6d53eb854921191b8dd74d5ce
SHA256

500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643
SHA512

ffd36e6819ef62eb05806e805947d7c4ec2a41e46b498db184f7d256a123fd42cf4c3277c70f0133f82ae6a3afbca182bb0984ae6ac848409637bf1038ac8590
SSDEEP

384:bL7li/2zWq2DcEQvdQcJKLTp/NK9xai0:PeMCQ9ci0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	tmp3296.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2452	tmp3296.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1720	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	28
PID 1736 wrote to memory of 1720	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	28
PID 1736 wrote to memory of 1720	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	28
PID 1736 wrote to memory of 1720	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	28
PID 1720 wrote to memory of 2708	1720	vbc.exe	30
PID 1720 wrote to memory of 2708	1720	vbc.exe	30
PID 1720 wrote to memory of 2708	1720	vbc.exe	30
PID 1720 wrote to memory of 2708	1720	vbc.exe	30
PID 1736 wrote to memory of 2452	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	31
PID 1736 wrote to memory of 2452	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	31
PID 1736 wrote to memory of 2452	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	31
PID 1736 wrote to memory of 2452	1736	500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe	31

C:\Users\Admin\AppData\Local\Temp\500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe
"C:\Users\Admin\AppData\Local\Temp\500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytzc1cj2\ytzc1cj2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3459.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc933338395462465493B13200F6D61.TMP"
    3⤵
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\tmp3296.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3296.tmp.exe" C:\Users\Admin\AppData\Local\Temp\500fa08f7f4723d030c3eb54e0e148b4ed0beac3c31a3ed26fc2689073d45643.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0a55208ef24bf72b914417998353b664

SHA1
4531420c8d677ba0194783f253f202945a619f7c

SHA256
51725868ac8149d496a9590423bec8f83f3f92d48a91c453dea5be05fce2ebc2

SHA512
af5a4118552db4a882433f20f9a8c34a24696a0d0b29c0c3890732a551f6a30a08749b150b56cc64ee73304bda7168ed91e1a54a9353bee5c00eddda95ee069c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3459.tmp

Filesize
1KB

MD5
8cb81c96d105d0c8a4e3c8c213fc26f4

SHA1
54c0beca72b6c40ee115c04a6a7de33495dbe894

SHA256
13d4e7334fa554a0b6c6e1803287f9817ad3fbfd900abb08b9f788f5f7a5167d

SHA512
c3f40db58e12b12d4f6876b4c97c811712f53e420a4cf4877d19cc566e2eed827bdba27e5156e601172cb756d3120dfc358a2571957345c3600756631ebf3586

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3296.tmp.exe

Filesize
12KB

MD5
0643fdef9fc40865e248bd0a52b3045d

SHA1
fdc5e1e28abddc5fb213eba21e4e108d321cf380

SHA256
02fbe6d89f71446b397f89fd39c749581a92c0903ea7b1ced43d4fa1cb70b45a

SHA512
8031b30035b608738dccab2c3ed4aa3f6a72d96201f85f225d7bd06fe86d4ec446b9c6aa95b93daed517151a40ee878e40cbfec0d3a4259c7d82b46598dccd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc933338395462465493B13200F6D61.TMP

Filesize
1KB

MD5
2efec43b0e517c8fbe9dc324dd16973c

SHA1
e928ba10b041f90f7a1eed05f7f4e9709d91f553

SHA256
25350e38a87aaa71aac47303cd0ff8a3478240a7f1355a6d034a12a5997e0725

SHA512
402c67e08d30277393ac80014eccb3728b01c52ff632d1bb159576ef38553c293533dd3fb48705d17ee43731f10273db90afb4de9ed4c72d0200da3eba5c5dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytzc1cj2\ytzc1cj2.0.vb

Filesize
2KB

MD5
deedb6124ed64f947f0cb22af235bf2f

SHA1
45607a3f1db26ad2837e5066f63451e9b6cca2cb

SHA256
706d8e8e3ebe0f0bebdd5025872c5337489883c0d7e12ed61628e94962af7c2c

SHA512
32bc68ce790ccd52ee6e0d23a5889b0841a8586d84884e4b854d440e9bd9e185550637e7ba68a478325a1653595148edf80a31ed7b49f20f4924020081ec27c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytzc1cj2\ytzc1cj2.cmdline

Filesize
273B

MD5
83b7e33f4b06c4003c63576c8d40e7e2

SHA1
56d429153e57f0d462e704a4c2f93e1785348d29

SHA256
bce57d1753dce31d13f667b18561f290002793de8b20072a7e00d0e6ff430674

SHA512
fb1c3eb7752d2d680ab791496a8ffeaeae2ddb45995a016bf90ea7d481ccd03d2320f83fe32635cb29068e9586b10baa86b4b3f972a7f6e83300ef111ae7c40c

Download Submit
memory/1736-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/1736-7-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-24-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-23-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing