28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1

General

Target

28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe
Size

12KB
MD5

35a278cac89eef517553c7a4e80dfbae
SHA1

edf47ff63a3e95d71584dc1c06103c9d7d23d70a
SHA256

28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1
SHA512

19b80dbf10153f9dd9685c27811bad7b83a1ff09a295f9cf4f8ccf7d4fd8c151e500f89d5be305e22dd48b99fb96636851334482c9b36e187cc0f1ed2c2897d4
SSDEEP

384:8L7li/2znq2DcEQvdhcJKLTp/NK9xaX4:aDM/Q9cX4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	tmp28A7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	tmp28A7.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1564	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	28
PID 2480 wrote to memory of 1564	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	28
PID 2480 wrote to memory of 1564	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	28
PID 2480 wrote to memory of 1564	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	28
PID 1564 wrote to memory of 1992	1564	vbc.exe	30
PID 1564 wrote to memory of 1992	1564	vbc.exe	30
PID 1564 wrote to memory of 1992	1564	vbc.exe	30
PID 1564 wrote to memory of 1992	1564	vbc.exe	30
PID 2480 wrote to memory of 2736	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	31
PID 2480 wrote to memory of 2736	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	31
PID 2480 wrote to memory of 2736	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	31
PID 2480 wrote to memory of 2736	2480	28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe	31

C:\Users\Admin\AppData\Local\Temp\28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe
"C:\Users\Admin\AppData\Local\Temp\28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q2i5svw3\q2i5svw3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A1AC31A613A4B519581581CCBF12F.TMP"
    3⤵
    PID:1992
- C:\Users\Admin\AppData\Local\Temp\tmp28A7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp28A7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\28d92e515ba0386d174bf63ced7198c1368f200a8134dd2da4b482aa6c6579a1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
fcfd35709c726db922b932e2558c12c6

SHA1
6d65685cad8dc3839c003cadbd5d72388e14aa7a

SHA256
58ff6264467107951fbef19f35be27a696a2a29ea5ebf0178e00417f7b9e89aa

SHA512
2fa1e40d94f7b149e11697a63211f12f53d53be20a5dc0815b896551cb9f4aca244471d3135329ed1531e5394d19d7aa528667e627699b431ef02fe768cdeedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2AB8.tmp

Filesize
1KB

MD5
fdc9a1c8b8dbe54f7cf13de06d8bcef2

SHA1
8b58ac39132d962140507b5a45e4609117ca996b

SHA256
2b50e9860106374ed87b082a42ca868332490a96002a43d7b78a50ca50dd6b6e

SHA512
ab454e72886867585151e4bc651428784a0f374b5f1e50672a2ca5433b573ae14046258ac8183aea1b6db2c6ef0aed5b91df22f13b8e2d42556774e1a828faa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2i5svw3\q2i5svw3.0.vb

Filesize
2KB

MD5
ef90d1ce7d3fd3c1dd3ed213e67e6c68

SHA1
41ceabf147790c291463e8ff58fc9a0ff1a8fc58

SHA256
051a61a0a32fa5684447185f3d33678e1a2d7aed2b37063459d057a3af278db6

SHA512
ba330f32ae15b5df28a07eba0bfbe980c143f15b0b93c25086db53bf495833ad73729da4d8332f121d682e4768b5fc500c5c81bf3072d086b0c53d08b540bbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2i5svw3\q2i5svw3.cmdline

Filesize
273B

MD5
1ab38969157e53acf790c8f69747cdd0

SHA1
3e70f008c259c9d918d85a73792a3c734cb89242

SHA256
8b500e5d9e546cb4fd764c091415a1b720dfc1496306a62bfadaaffe4bb28cef

SHA512
cee09854713d1ba344d0bc6229109fd717d6472213648ae7b36b3cb9c933db143c835a39ed8577794ac0badba9593810b8ed6e8cd566bf49b3f81152caf0b871

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28A7.tmp.exe

Filesize
12KB

MD5
7a762436b3f72ef623963dd3bec5df16

SHA1
2a06a07ac7c369859f7ac354f992a8f871d83ee6

SHA256
b3d369520716a5a201629074ca1ac2d45b2401b1b959b5d0eb60c66f51957618

SHA512
1735d6bb0baefb7f7d7d1bbcdceaa5cea2f5e0547859f514687b338df0c9649aff66d9016e2df37729faacdc8b4877fda77fde784aac988b23a2deb6b443ae89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4A1AC31A613A4B519581581CCBF12F.TMP

Filesize
1KB

MD5
6ab5663039deddc8976fea1715a0b0ab

SHA1
d113a1763b2acc270bfab44e328de2c11082dab2

SHA256
a87e63533462d8717fd5d7b8812adc968614881c8744d8c89c84a1c16a050f93

SHA512
bf4421fa6b9ff904a8ccd9c38ba0784b1ba834d2d6e8f6779ec898038ebc9270148e70c7fad93a414a7a0ed0face06cb5ced5780942b4be1842a538e17c44063

Download Submit
memory/2480-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/2480-7-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-24-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-23-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing