9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9

General

Target

9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe
Size

12KB
MD5

6f8008a392ad15deaea9fccf4bd4fe4a
SHA1

50c34f05cf45db61cf0cb117c8ec905b90bf7265
SHA256

9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9
SHA512

c3a253b834d2e88be4885d0a5f833a0423086f082f6d23eefe37cc23cbb0f18997517f6a7372c953edcf2fd64bf16f27132a21a9b45faa91b9142cf876cc2d41
SSDEEP

384:VL7li/2z9q2DcEQvdhcJKLTp/NK9xafv:1FM/Q9cfv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	tmpD4B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	tmpD4B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2264	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	28
PID 1968 wrote to memory of 2264	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	28
PID 1968 wrote to memory of 2264	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	28
PID 1968 wrote to memory of 2264	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	28
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 1968 wrote to memory of 2588	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	31
PID 1968 wrote to memory of 2588	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	31
PID 1968 wrote to memory of 2588	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	31
PID 1968 wrote to memory of 2588	1968	9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe	31

C:\Users\Admin\AppData\Local\Temp\9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe
"C:\Users\Admin\AppData\Local\Temp\9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2tnnlgpz\2tnnlgpz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EBBE49D6C7A4FDDA1EC4893690E6FB.TMP"
    3⤵
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\tmpD4B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9cf5497db9b4f213048cf3301e24194981b23ad982938ba91775af860560b8e9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2tnnlgpz\2tnnlgpz.0.vb

Filesize
2KB

MD5
af258c7957a0cdf1dbfb648fc49a40d7

SHA1
0b99f74a38bbcc26c065fc63dca463fabfaf0d8b

SHA256
5f02ca8e99b305d83007b63dc4ef1dccc72ea0fcec28b61e7c288f337456ee7f

SHA512
cf2457b361beb7af52ee1be5b78f7c0e401e394ee1f6f096a0067262a69873de6c23754989a4e1a4a68418be92cfbd9a53c5b7c8c1f67f1b965bb8ac23e8d2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tnnlgpz\2tnnlgpz.cmdline

Filesize
272B

MD5
58883989da63375baec11743bd12130b

SHA1
7a96f2d5f5191e21bc3b7a38cbb94ea47fc75add

SHA256
e906189c8b7d6868bf2cb56f2e8299e6104609d4d0a656359634715749df7c1d

SHA512
1dedbb40d06ee4cba07e6b65bc5cd00c7e671861249fbe3fa400c2755091478f6a078352525bd78e625c86370368d85dadf6ff9ef6f559bebcc00d1e338e7983

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
45754cd8863b32262d8efd38d4dd19ce

SHA1
fecb45f3059726d729fed067d56f6d04a425d026

SHA256
f7a2b8737826f55bef00109ce2a5a19249a7ce68198d5aac638fece8fcb631f6

SHA512
a8e0aa12fbe6e5724789a89a295aa4f95529b5db0d359c8041b08218379fb3955923d3b9501e22dc099b0bf599df7ca8f18a73842eb51bbecf3ae829f653e043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEEF.tmp

Filesize
1KB

MD5
d3f83510bae969f703e83d591b15f972

SHA1
0b425a43fcc14cf91cc4678fe91b477cce9690c2

SHA256
9590643f43bf3c929ea992e184a07cb7e84764530b75a346774eb24ec5dd1e34

SHA512
292bff49da4f1d3db5ec07e776c5b2d5ea992c681c8b210de0847206b71afd6416e33c48dbb326030b7be225b73a2b9c1519c1d69de1547764ad4e3f1e014e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD4B.tmp.exe

Filesize
12KB

MD5
405559c50c2e84399997a0eacfe25b0b

SHA1
aaeae960b95f8456e15d1463874b0fd7ae106115

SHA256
645a7042e4d28eb6bedcb4b389e1cbb90222a3473a5b6c2f6552e55207f01577

SHA512
7f9d0b4eccb30bcc5c062ec7c72876de802283000adbb43f7707e62d85b419fabe0af80f41e88947d3ad9fd93ea7b1c349317c0437ca96acbb47a7e327ad2688

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1EBBE49D6C7A4FDDA1EC4893690E6FB.TMP

Filesize
1KB

MD5
83f1a9c97a82b403570a19e99544b3ab

SHA1
d3ecbba6e5e8d7b22f590cd4710493c35d3e4000

SHA256
0e458f3fd53cb525d37b8460f41f4c2534f8032c33933493e1af361412a899c3

SHA512
69fcb8fbf0d760202a7ca29b1e40fbc65743ece033ead1ba7dcb09a488a1291e3779874e909566d24b89d91a2ba793d53438709bf3f27c9f1ac93866aea53ae4

Download Submit
memory/1968-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1968-1-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/1968-7-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-24-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-23-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing