c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad

General

Target

c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
Size

12KB
MD5

b912a402c5c743b4fa0db4c9beded7a5
SHA1

c64ae82aed37a3506450db09b5e4a5205fc009a2
SHA256

c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad
SHA512

dc973419fd632d9b7e497894c51edef6fb3439dba8cbbc9e702cf4fc057d4702075ba79a0ea69706d0b2373fb7249154d8b92577e4386c1f024134a6fe98ab72
SSDEEP

384:LL7li/2zZq2DcEQvdhcJKLTp/NK9xaSs:fxM/Q9cSs

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	tmp1C48.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	tmp1C48.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2280	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	28
PID 2096 wrote to memory of 2280	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	28
PID 2096 wrote to memory of 2280	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	28
PID 2096 wrote to memory of 2280	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	28
PID 2280 wrote to memory of 2544	2280	vbc.exe	30
PID 2280 wrote to memory of 2544	2280	vbc.exe	30
PID 2280 wrote to memory of 2544	2280	vbc.exe	30
PID 2280 wrote to memory of 2544	2280	vbc.exe	30
PID 2096 wrote to memory of 2588	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	31
PID 2096 wrote to memory of 2588	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	31
PID 2096 wrote to memory of 2588	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	31
PID 2096 wrote to memory of 2588	2096	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	31

C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
"C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3vbxqa1k\3vbxqa1k.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD415BD661E494725941B1795BF50344C.TMP"
    3⤵
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3vbxqa1k\3vbxqa1k.0.vb

Filesize
2KB

MD5
823ef7aaae1ac87312a7dc9c5c70cbab

SHA1
e90ff193964e4448783f77292c89e681bd27b5a4

SHA256
3729679b8858f9c8b454bd768317bda2f1678bd3d8796a36fafa8c95efd50d17

SHA512
b6bcb9281cadd9f2ed5c45b59eb4a111b444ef7f5d21d6312465682dea67851f29b36b98dd2169c70ad77d1a76df8f038d321225cbe407e64f724a50bd754972

Download Submit
C:\Users\Admin\AppData\Local\Temp\3vbxqa1k\3vbxqa1k.cmdline

Filesize
273B

MD5
1bebe10a95605c65a942114490bac7a6

SHA1
e71ced4e67e1a92b5db1192a8461272872210d9f

SHA256
3a9db637655414a0a37087cf7cf92a699a0daaaada2f589b0ce9abda890df25c

SHA512
3059dec079edadb3ed9d39d4b04358693313f093969c0a27e99504ca5af051eca3573049dfd2033125446c5043f41a02b6cf48e99e15d066b4255c2ade4801be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
15210095f5e51b3906c35a952adf4f34

SHA1
db24a64ca980bacaf27ac433a6ca10158517c687

SHA256
4f9b289383403695bf11ceb1eb524332372abac476d9ada4424177e27a93ab05

SHA512
31a92760e1d70800d79f802e52076218a01ee5bdb7c1093a687005ec451d08b9b3485f92c53344a89acbcf84d3b5b7030350845140e9c418d18b934befdf8166

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DCD.tmp

Filesize
1KB

MD5
8bde2fd0ec2a3b44802424a192c6efce

SHA1
67040aea9a4daa5e35a6e65c6f5b03fa8799200d

SHA256
572544fe60b9d5d057d981a09cf9271b9a1dd9bcc78f65018fcc924c1e2eb417

SHA512
8034777c155010659ac4b243a8f08e8fff9ca7498cf0a65630f7edc908b0a8fdf93cc566c9532929c3eb75ba7443144b5fc9ce61077f296b00cdd9f1c6204d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe

Filesize
12KB

MD5
7b30e2ed8144f22f06f69f7d18039155

SHA1
0ba238df586aec6764d9b08092e3b8bd7779b5ac

SHA256
fafa00c151fba6d937a882c10ae935803d05e7c08cad920795999431042d778b

SHA512
934826c25866e7006571ee3a95d3f125babca6c38e2668abcab50e8623bb4e1ae0c407d3ad96671778f5136bedc98a1f86ab6f1e697f69d8509c0b28f609cb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD415BD661E494725941B1795BF50344C.TMP

Filesize
1KB

MD5
4cfadaece817be7c0aeefc0838945933

SHA1
da13ae7eb3708bb67b6b5929f677a6fdfa3556b8

SHA256
cccbaaf9b86b67450f421418621afe4acb8e10a26f42c73fb418bd0419926da0

SHA512
884e412d8d2d9a6811706abfd84a9e6c01e4e15abb0fc9c4ef4a35564c85cbf24db647bd91e630504a93cb45735adeb83ce83423f879f0ef427fa092668d6408

Download Submit
memory/2096-0-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2096-1-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2096-7-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-24-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-23-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing