4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120

General

Target

4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe
Size

12KB
MD5

28ccfa4538067967f7c9adc9f7d25432
SHA1

77e0571926dcbd6c1e3de68fc8773eb0878f2ff5
SHA256

4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120
SHA512

2d689cbf050f292f24cd1997780a2ac5eb000ca76443bf5c38d83a4540a957fb24a0609f2ae0415ae4d00462ff97c526a4324a8cd2aa6d5dc0d1dbd56f05e31c
SSDEEP

384:UL7li/2zpq2DcEQvdhcJKLTp/NK9xasO:ChM/Q9csO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	tmp18FE.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	tmp18FE.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2988	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	28
PID 1888 wrote to memory of 2988	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	28
PID 1888 wrote to memory of 2988	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	28
PID 1888 wrote to memory of 2988	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	28
PID 2988 wrote to memory of 2772	2988	vbc.exe	30
PID 2988 wrote to memory of 2772	2988	vbc.exe	30
PID 2988 wrote to memory of 2772	2988	vbc.exe	30
PID 2988 wrote to memory of 2772	2988	vbc.exe	30
PID 1888 wrote to memory of 2572	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	31
PID 1888 wrote to memory of 2572	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	31
PID 1888 wrote to memory of 2572	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	31
PID 1888 wrote to memory of 2572	1888	4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe	31

C:\Users\Admin\AppData\Local\Temp\4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe
"C:\Users\Admin\AppData\Local\Temp\4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dywjgwpb\dywjgwpb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB14A0DC1EB4F4E43B1332B4814E7099.TMP"
    3⤵
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\tmp18FE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp18FE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d9781d374322f75d35b9ec3238d662d15f435cdf3dc6abd05bac97427c02120.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ba2de093c8b6163475ce7840d5f7e23f

SHA1
e87e40a7ab6723402a0e79d21489e69bb51d4586

SHA256
e4397db949a700fea646995c2d7180a2e110ccab8525df4788afd786e896095d

SHA512
62136ee258d664ff102aab7b08859e7bc0c334e9da117efa352965b0437db9087be5d00ac421a4dfef5ce2c1b4254e9ac41f0121dbdea8489f8d82caca38d185

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1A25.tmp

Filesize
1KB

MD5
bce7056ace968dfcbd788707a96f7679

SHA1
0cf357ebbaaa1e728c8e77ff7e10d67400cd4353

SHA256
a5154e70f566cc64b697ee26e86d172afba43d0b53dc3311f9854daffc0e85df

SHA512
7ee68b223695b8f2397481c81003e675a8e6f0d46d07b136bac693af153fbb2fd6fe2caf89b759d9d550b821fe859f0c21984f2cf2f1ce36e4513b3bc783f676

Download Submit
C:\Users\Admin\AppData\Local\Temp\dywjgwpb\dywjgwpb.0.vb

Filesize
2KB

MD5
a8f791d305a13b725261caf187cfda11

SHA1
dba1997f2eca205aa8d0ff7d47f32aa98cb35fce

SHA256
ed5133c871b81f68f0742e25189b85726b3e8af63421f593ac2dfede02901e64

SHA512
942a48ade97b325870773f9775c0bb8255fadeb2d6c0f03cfb8c8fa4abb210d2a0423895effdbf98c569beffb4bd582c18db8c7b8266357b0b1d82be5ca1c532

Download Submit
C:\Users\Admin\AppData\Local\Temp\dywjgwpb\dywjgwpb.cmdline

Filesize
273B

MD5
9b7410712ede33b5ddb0cf6e0fcfa405

SHA1
c9d3a92f5560188096650b274ea6565d9d5e8749

SHA256
e52e238622930778d5ba1ff4f8651b0aa74d82e879e8c78ae745529e8a967685

SHA512
8ee6a0b026553503362bca9d313e6c0eb48052f675144f3147a87e6416b7aff4fc34bf50edf440d423d535ccb066f85f6ac1cbc3f0c37eab6b5224670034e2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18FE.tmp.exe

Filesize
12KB

MD5
ec34b43141232245ec9b1d9bc97d2048

SHA1
789f9b79e3d619c4209da08fa31bff299eb925b8

SHA256
a9fdc78a3016944c4414535cf790796b4efbee7a897a4209a77c52322f12d1a3

SHA512
5f17f8448537489e74252796652fb2a310a2d138a8fd3dcf1607338526df93691938b8004cbddd0c35bb612b112981712acb5fd5901796390d7a53b2a0477ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB14A0DC1EB4F4E43B1332B4814E7099.TMP

Filesize
1KB

MD5
c442d141ece479337c9cfbb664ffa9e6

SHA1
43161035f4b7e1cc98b77a0c368d20e162fe7477

SHA256
2387da6f1a269a96f71dd99dc84fe7f2528e3df3bd7ed8cad32950d202e0253b

SHA512
1d77c165d25370fc539b06a49c3b79698c179349aeef15facf9b46836102dcae9664fd7df1808cb4c09fcbb0fcb6e973f230d0537faa5e1f932f7eb4d5702e40

Download Submit
memory/1888-0-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/1888-1-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/1888-7-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-24-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-23-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing