918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77

General

Target

918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe
Size

12KB
MD5

a37b639c3d3d15621d92412478f20e2c
SHA1

f066f7587fff6236fc02659774c64da23f5ff382
SHA256

918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77
SHA512

1264463ae943f3ee0ad75df3777f4b5ed0cb3acbc879cb0fd3243573449a29d6e99e92f85a8887cdff1dcea7b5e285857a1bb5d6d6a248e4c7c886a692bd10d2
SSDEEP

384:DL7li/2z4q2DcEQvdhcJKLTp/NK9xaWN:H0M/Q9cWN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2068	tmp2D97.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	tmp2D97.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 344	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	28
PID 1252 wrote to memory of 344	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	28
PID 1252 wrote to memory of 344	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	28
PID 1252 wrote to memory of 344	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	28
PID 344 wrote to memory of 2856	344	vbc.exe	30
PID 344 wrote to memory of 2856	344	vbc.exe	30
PID 344 wrote to memory of 2856	344	vbc.exe	30
PID 344 wrote to memory of 2856	344	vbc.exe	30
PID 1252 wrote to memory of 2068	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	31
PID 1252 wrote to memory of 2068	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	31
PID 1252 wrote to memory of 2068	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	31
PID 1252 wrote to memory of 2068	1252	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	31

C:\Users\Admin\AppData\Local\Temp\918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe
"C:\Users\Admin\AppData\Local\Temp\918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5dkadon\v5dkadon.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3436AE08E984FAB906DF0ABC09BCCC5.TMP"
    3⤵
    PID:2856
- C:\Users\Admin\AppData\Local\Temp\tmp2D97.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2D97.tmp.exe" C:\Users\Admin\AppData\Local\Temp\918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
101f6df53cb3906ef5ff6e363b85bc00

SHA1
d675309c58843211e38da26d516c9a97060be112

SHA256
fa06cb6dfdbc7db828e6483378d209074034d017926a3ba72fba0a18973aa89d

SHA512
d9daef95c9d2dfa6c24bbe82002d396ccc42a8b8cde08c0007e63bd875491a2054f2b64f8a105a0ab064c09f087b16e28cba7a3104fd784e000be1cf4deef321

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F79.tmp

Filesize
1KB

MD5
9062812f62820f2eadeff03226bfa277

SHA1
ead38d3ca72994614fa63a7fb4925be1953ddb69

SHA256
0d9cb3ba11c3e6837cc468d00a526cc72410ce72a68eca97e18f896e138cf914

SHA512
f1a7d695cda9921107758e7c5c9b8a11a1259f8ff48a388330ede939f132c9e7d1edccd1eac89aa193cffc451ed98932b8d4cc0e9d47a800d00baba6afee8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D97.tmp.exe

Filesize
12KB

MD5
2eef84ea5bbc93999a1ab8fa717b8f78

SHA1
a70bf36e4cdb7ce1b46bc9c86ff274517b025223

SHA256
89b9756cbd743e18ce1d82386a83379cd239d7056a82f837fe4345535f92ac0f

SHA512
809597976c3bf29b32fa511508282af919ccb0b5537ec135b555e99daebd8c94d66f237a81fbde4a0c2741d4f490f543122cbc55f340fc91aeda486ae8fe3e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5dkadon\v5dkadon.0.vb

Filesize
2KB

MD5
58abf337d148e7691fd75199a71745d7

SHA1
68d2bd869b6064f737b8dc3c3c8b705c85944bce

SHA256
51f7898353faa9f30c7f681b601630981e446ab2146149123f973e598cd4dd92

SHA512
7dab2b16649694c62b5edb8c3742ba1b761f38369cb9897ea665b4b4eca0d31e25eaefcc74e94050832886c038a6675c5e6c89e4d2fea6e065b529cd53e4fc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5dkadon\v5dkadon.cmdline

Filesize
273B

MD5
879ad86387ce372c6f9705651453509a

SHA1
0545201b8aa483a487a1612a15b48e68a7406ece

SHA256
0a17701d162171af678df9f68724b1cdd7a3f7c1aacfc436241cb946241a70fa

SHA512
f78dd8b66d88297db2e1e517f4646cd08b3172e9980bc140ec0d9fc8ab0357a7d5ba89316a2e0b6618f4eddfabe5adfe5934d90799d50e2cecebfd49ca163d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3436AE08E984FAB906DF0ABC09BCCC5.TMP

Filesize
1KB

MD5
00531b0b4e4cfeb472c07daae216ac8f

SHA1
40183559cf29c746a6f2daf690d19a401e6beb23

SHA256
54c70ce84952ef7d01236a4989763fa9eb765bf2be4ba40d0fb4e4294223c124

SHA512
5d0f65ee35bfa202e3b43bad2137fdc4cbe5d8a46c6e5315c4362dfefd68486431051af6f5f610b3b9ed13e5aeb1218615fd0441eadb57a371c09f74a813d483

Download Submit
memory/1252-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/1252-1-0x0000000001150000-0x000000000115A000-memory.dmp

Filesize
40KB

Download
memory/1252-7-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/1252-23-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-24-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing