e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398

General

Target

e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe
Size

12KB
MD5

94d2970f26a378ae3c09662259880208
SHA1

c0a8e529b94d912ff0f89338d9b9124c156b2f44
SHA256

e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398
SHA512

27abd78025079d9ee0edaf38eddebff7d6687c3f129ab8a27d327e0d79a57faad34f5fefd28d7e0e9f7716600df415a51789d21edc973a115a0765ed954390b5
SSDEEP

384:dL7li/2z5q2DcEQvdhcJKLTp/NK9xakVCE:N5M/Q9ckVCE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2480	tmp891E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2480	tmp891E.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2136	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	28
PID 2292 wrote to memory of 2136	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	28
PID 2292 wrote to memory of 2136	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	28
PID 2292 wrote to memory of 2136	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	28
PID 2136 wrote to memory of 2636	2136	vbc.exe	30
PID 2136 wrote to memory of 2636	2136	vbc.exe	30
PID 2136 wrote to memory of 2636	2136	vbc.exe	30
PID 2136 wrote to memory of 2636	2136	vbc.exe	30
PID 2292 wrote to memory of 2480	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	31
PID 2292 wrote to memory of 2480	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	31
PID 2292 wrote to memory of 2480	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	31
PID 2292 wrote to memory of 2480	2292	e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe	31

C:\Users\Admin\AppData\Local\Temp\e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe
"C:\Users\Admin\AppData\Local\Temp\e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ck2b15nf\ck2b15nf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5497CB7C3E4892A88886999D34B4CE.TMP"
    3⤵
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\tmp891E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp891E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e2c9d62af5889987c39bc93a13fb8ecd6319fdadec5be76007302bc8123bb398.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
716b3a6cc4be83f3e9b93a29b8971174

SHA1
cb4746d9bb779cfbc51af03550ab90eb1a839855

SHA256
d062360320e286487f9419ab278adb4fdefa9bfafc4b74356d5c8a59a3d3b160

SHA512
3e88f318f48edbb6316e8639b3d0727e66e3e8630eb89d4e7f2edb22765e054b4df05568365fb4879f98fde8cb5370541ab411a4f8af58d8dbf8c299539d637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C67.tmp

Filesize
1KB

MD5
f11f5492580d5586501cfd3d1fa941cb

SHA1
7db3d4012aa01371f763f985ba9655a58337bd21

SHA256
2876cc27c2121c51cd2e0ebcf92068e8bf8fe574b918b3af9f91f6df85df0aeb

SHA512
444f402f536ac4a5ff1de03150c198fb693de1d4331d58999f6a1ef048a16758306b07c9a070203d6f56f3a344258f60babffd3be8adcd97de959ca685c14ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck2b15nf\ck2b15nf.0.vb

Filesize
2KB

MD5
189088dc382635c7cd1351b71a9e0bfb

SHA1
4f427a5b2231792562cbd4df45a5db6dac1f5c99

SHA256
af59014fe0e8ec7d6cdfdaa5fb8a9062fe341d01675f55abbbed0f0fcf68b4dc

SHA512
e57493f75a58cb00b2d63333cdfa67f8868c87dfc467d95104fafc57f0c1c890b59774d1922d13956e13ffeb1e150232440f1c67aae67d22cadc6a20d9bb6a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck2b15nf\ck2b15nf.cmdline

Filesize
273B

MD5
a7cea0b0afd237be8d10a80085be2bfc

SHA1
ff8e74ecdb21f8ce4c090d2b51909d2e990c2e3d

SHA256
28521f8a4b41c27d2b19ed35d16cbbf6aa2f1dd25789c817aec83888d8a4c5bf

SHA512
f3e3e06eed253f66d9069ac26bce30c3332e29a9eead2e3554196600f1de6b531744789839a8d0ffa55bdc8b2f4104fa3c9a5fa6e6e0a11b2b59e109cee88fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp891E.tmp.exe

Filesize
12KB

MD5
b1add5ed746f5e6499489aff3e827bb2

SHA1
8896dab4bf03bf3db17a4c65c34be8f8854ba5be

SHA256
a6a9370fd99f3486e253aff5b5a7f267be55778c44895fa9829af8469bed01bc

SHA512
d6267004f6b43f75004bce3bd7c9128656e644f8259fc03e0b5da9621f7367c80466469b5135d5d555dd31e0f8aba69aebf702ab75a161e09806802396e9f23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB5497CB7C3E4892A88886999D34B4CE.TMP

Filesize
1KB

MD5
5dbdf8101ee45afcf5d38f1982e05f06

SHA1
491a0684d036b34b431bb9d311d26b08c195ba90

SHA256
075b7f4bbab3d0083662d89cfbfa1e39954ffcecf564ddb60b7707b718174bc7

SHA512
469c50ef202fd8d9ea0f49f6b4a8240e6c51f5c05e6f48b099402471e56b8dfcc4d4f9c344f5f4dd137ad9121459de5dd55bf487067395390ac8e0b1f7a7d773

Download Submit
memory/2292-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/2292-6-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-24-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-23-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing