9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e

General

Target

9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe
Size

12KB
MD5

7875b761f01649cbdf43f5ad77ee0d72
SHA1

b1d791783444aee8aba806d6fe528ea5b179f9ca
SHA256

9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e
SHA512

259257fc3659188a4e05b2e0c3046dbad3c9fb4e014ef4bba28ad3d47110827a6adb4c5bd88d664e1048ccac96eba4513e6c8bdd6edc3651e9dfb2e0a5ff24ab
SSDEEP

384:VL7li/2zWq2DcEQvdhcJKLTp/NK9xaJw:12M/Q9cJw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	tmp2859.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	tmp2859.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2008	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	28
PID 2932 wrote to memory of 2008	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	28
PID 2932 wrote to memory of 2008	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	28
PID 2932 wrote to memory of 2008	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	28
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2932 wrote to memory of 2720	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	31
PID 2932 wrote to memory of 2720	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	31
PID 2932 wrote to memory of 2720	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	31
PID 2932 wrote to memory of 2720	2932	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	31

C:\Users\Admin\AppData\Local\Temp\9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe
"C:\Users\Admin\AppData\Local\Temp\9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kicav3p2\kicav3p2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FD4DE10242245838997DA73D31DCD54.TMP"
    3⤵
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5621209dc7dbb170b9bf0751aa3e7923

SHA1
0e59650dc61ed9527c4c612b42e515beaa0f436a

SHA256
6018c4c5e902119f521ad694cfae5816683da1d3ff29e6d098e19bf017b8fd44

SHA512
3288c7f342d665bb51f7e3e2a75f068cde5ed290a6abd521db746e4ae9be620ea70d3e9ff9b75f3d369404dad6cae693d05d6dd75f7b7d3a4f628a53bfb4048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp

Filesize
1KB

MD5
b54e8631e57fc58e6f6b3b9765f3edc9

SHA1
bdf8e1fa5ca6df1433eba9301e96d45e5cecd884

SHA256
b5dd65efd8253560e026d1fb00856a233e68b7524dd331a0695db2f23d261f4f

SHA512
c0d7c890e89ff574b51e974243d63b0fe61540f370788f34777e4c8b072ffadf7e4158ae22c6c42411425b423de3bb20a644089ad70c9a3ef39d99f90867fd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kicav3p2\kicav3p2.0.vb

Filesize
2KB

MD5
cdf2bd789086fdb92d6a3e6a66114d2f

SHA1
5eeff5f75f2da6a4c3f94408ecfbe05d6a398ae8

SHA256
45fc66bc4dc67d0f9535dc33e7c94c7dfd131f54c70ede47a0922431f9e7ebe2

SHA512
626a9b31edba65a6153a44415ecdea76f61cb4b394601823fd6528635aa79d298dba206efcfc80b95c002ea8fa74743824379784886c1c17b7141d1412928c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kicav3p2\kicav3p2.cmdline

Filesize
273B

MD5
7e24ef4ad6b2412c4986262eeb412f62

SHA1
a4708ec6f44bf5cc4270dd9c845ee3616ae28f4f

SHA256
22c632668bbb5d89e28c963350c32ff46a7834aad7b8b491f1f7bdd5484c540b

SHA512
2a3c00e70d2b81f9c0c3d02229b75f268bf633f4c3e764e87aa505d5ff2e262c350b58898d9ab292b54b361db34f07c8a8ec1a03794b89c9b9312044451f80b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe

Filesize
12KB

MD5
0c6a3ffec741b0183d8806535167f015

SHA1
18fe5cd81aa2b2c9d119627f985c4df1473c262a

SHA256
e498bc9c94667da72aef3a125933fa3ecceb019bce121a120efee42606634459

SHA512
2806693b507f7d3cd873f15a63852ebc82c9ef641bace0e3408f8d3de358c65326c47b9ae4fdafaebcd0f66dc3c2e8e2be8a2f127cb35d0a06d8e47c52f85280

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6FD4DE10242245838997DA73D31DCD54.TMP

Filesize
1KB

MD5
93a28da04eb1208a099062942ab412d0

SHA1
1a8028fa9e0a28733806ef7406459b4a71dbbcf1

SHA256
83cc2a4d2392f8bbf15cc3808b348382da4a2f4c9513e4cc4fbb7995bae22612

SHA512
fab8b348d6beb79b0f8459166798fef2d6dd2c237bb67d14fdcfaabd436dae7a3de05a81a41729659fbe0c74c2062d30a96e60da16b52dfac53ee3a4045f32f4

Download Submit
memory/2720-23-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2932-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2932-8-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing