0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5

General

Target

0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe
Size

12KB
MD5

1fb19c19f881ead7cf69cc2fd854517c
SHA1

e762c2ca896f93c2e91335d3828705cfdde2a149
SHA256

0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5
SHA512

9f06e032776d35f4520de7143c88b9ba9ccd4fc29af0dda01d44af827ced6eb7a6efc37f52130fbc2e5c9b8d9a1dee51b563df3df1042bb3ea6ca5839b167847
SSDEEP

384:IL7li/2z0q2DcEQvdhcJKLTp/NK9xaa1:2YM/Q9ca1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	tmp24D0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	tmp24D0.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1800	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	28
PID 1596 wrote to memory of 1800	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	28
PID 1596 wrote to memory of 1800	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	28
PID 1596 wrote to memory of 1800	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	28
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1596 wrote to memory of 2704	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	31
PID 1596 wrote to memory of 2704	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	31
PID 1596 wrote to memory of 2704	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	31
PID 1596 wrote to memory of 2704	1596	0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe	31

C:\Users\Admin\AppData\Local\Temp\0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe
"C:\Users\Admin\AppData\Local\Temp\0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmqkzof3\nmqkzof3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2694.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA75921BA1BD444979D7A7B3B1CB9C7.TMP"
    3⤵
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\tmp24D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp24D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f5ad979938c22eb72220717428f10905506e282af9cecf42cd4110c6cac1ee5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d35eae5eb711973acb69c7343114defe

SHA1
e6879cf8ec737fa7933d405ff287fffee274f2bc

SHA256
47c46be8578ccfa96f7425b0bde63d81ba7acbab892f9bbd0667a2a8cd03d5d4

SHA512
9206ff6405390629e01c82640d31038104e2818b05bbffb2dc6a8f9807d7ac98e5638381685ac22f10bd0b3f5c7741d76dbbafc240e8c7691427acd3be07f541

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2694.tmp

Filesize
1KB

MD5
345659fdbf1daf2b74ded2aec702565a

SHA1
962b28b6678d13e0d939306b415ca0425e4325e3

SHA256
306022b19cd1acb8c282752c30174dc04f4dcc0f9b5a5303cc2d50eab65c1f7c

SHA512
c9fe1cd314c1e4b8410718a47b0d63fe4990c7bb71973b936bbc6fddee83b2e0eadc01a29811c11f1c84d4558b2338405cfd29eaf92c69ab7cd6e06293303394

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmqkzof3\nmqkzof3.0.vb

Filesize
2KB

MD5
3c62626416648ab295bd06f70acb5193

SHA1
0b5f6cdbba9c5b4eb7c878d476a42ceca0537f11

SHA256
259741c418c6d13ebf351dfca60fa756f479e79ab1b65fcf7031f2367a8ebf5c

SHA512
100466e4c716410635af34f134d81b5daff761c850ee9c16b534cd50821ec2284a4ac3484b0484b153be43709db92361c96b548d0f4d0584826fe0cbce5b3015

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmqkzof3\nmqkzof3.cmdline

Filesize
273B

MD5
e4fc85450e3e040d6f38a13559c62ac9

SHA1
ddcc6c170a13e89cae6f428b79ab81f1722c043c

SHA256
bc30c32d6b80f253942220c40e502b4d8d06f19e9066095afbd8bf3f6c26cda6

SHA512
fcfa350b22e563542a8c53dece40e1dca35038ddb263fb08f80657b3123821b02bad93deaa9afe794682509e4fac278008f539610cb21be2dc25f52454a42955

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24D0.tmp.exe

Filesize
12KB

MD5
384b77a328fbec0cf224a603102ba3f7

SHA1
9a603cf7bb21756d8d81283304fbf7e46f419bed

SHA256
8381294011815d84c8b323db3f7d136b7a9611e11b6f9d90e5a0b7fcb751189a

SHA512
11a673fcbed96e423a06ea26a7de478fbae64b4bf8eca5e8ee5187ce67b1c56ffbe8327a41d35debd98f134e4143c036c15cf32995519473b307efa1392e34be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA75921BA1BD444979D7A7B3B1CB9C7.TMP

Filesize
1KB

MD5
fab27308440a93ece60683c9bcfff289

SHA1
6b2551f47145261f1d61986f5e8f767f5b49de1d

SHA256
ad3bb2dbc26d6e698491409e19c1470a34c8b21cdcc265768661b6713ce61989

SHA512
df071cd5710adfa6406bf1246b8c5661814b39662363021e6906d0ab2d2c3768db07566dd9e19bd0aeefb45074ae81478cff0f4b6699fa980e9a8d6f60ef9e80

Download Submit
memory/1596-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/1596-7-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1596-24-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-23-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing