f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d

General

Target

f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe
Size

12KB
MD5

ec3727b7453ec77b841074417f5cb2b7
SHA1

651b530c11f00a7dcadef8553ba86bc06bc2dd2c
SHA256

f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d
SHA512

668a56f8970373e502cd5bd8b68df44cb1fc72a1586ccc59ffb9408a79e3a5c7d84454a0544ea2812f7cc5ccf958e933351a8133cb8a99fb32647cce1ed296fb
SSDEEP

384:4L7li/2z1q2DcEQvdhcJKLTp/NK9xap4:GlM/Q9cp4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2920	tmp116F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	tmp116F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1900	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	28
PID 2228 wrote to memory of 1900	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	28
PID 2228 wrote to memory of 1900	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	28
PID 2228 wrote to memory of 1900	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	28
PID 1900 wrote to memory of 2608	1900	vbc.exe	30
PID 1900 wrote to memory of 2608	1900	vbc.exe	30
PID 1900 wrote to memory of 2608	1900	vbc.exe	30
PID 1900 wrote to memory of 2608	1900	vbc.exe	30
PID 2228 wrote to memory of 2920	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	31
PID 2228 wrote to memory of 2920	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	31
PID 2228 wrote to memory of 2920	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	31
PID 2228 wrote to memory of 2920	2228	f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe	31

C:\Users\Admin\AppData\Local\Temp\f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe
"C:\Users\Admin\AppData\Local\Temp\f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1m4fkmvn\1m4fkmvn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DD72C622EA84EFBAE98197237306234.TMP"
    3⤵
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\tmp116F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp116F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f73ec8da22a2a8eb249d11f5df3ac336a10c9804a27a79d43a580fa59c33de1d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1m4fkmvn\1m4fkmvn.0.vb

Filesize
2KB

MD5
8f7185a645f6b7a88f37089368587cee

SHA1
1ae675c18fc6fb841d20b61801d0df52e51efcf0

SHA256
df755fc62b096e0d6f17fbf4ae75eca01475c31696cc6eea7a82220f0f5e9e68

SHA512
454af5a3dc6eaebfe0d129748925c79cdb30ccf91872c0cadc631eb8cb63a9da517f10a93c2f41b78525e5194e21844f89194975bb5c2ee696c9bece6d05fe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\1m4fkmvn\1m4fkmvn.cmdline

Filesize
273B

MD5
cad34a5d4e5047ba92dd54303cfca8c2

SHA1
f854c52980517540d013fbe685c20983ef1cd3f5

SHA256
ade3fb97859b73260f5582992b250b2c8ba53bb5b23d002ead91d3e140f606d2

SHA512
93856f1a9dec55e96216343b2da586bb064b69ad838b5e983bf1f033c8b3f15c18872003cc2d5f6ab9d854e76f25ad1bf84ebd02f0a42453d5bf9f7c7d44832d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1bb338f89ca87c3e6e8044136f12b7a4

SHA1
db26badd684163430eb377aff9ed06a771155092

SHA256
ed48e111f0529c505c50f3472706981395deb03dad61f04198eaa9c0660e58dc

SHA512
886cab3609bd7fe3ebfc8d87a740b81140c6e031da8269e07d81e5bd5788f209e190ebb1a428fd30470b9fbf0ed2c0a2714d3fcfe64a3de9721a1772af85e1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES12D5.tmp

Filesize
1KB

MD5
5da82ffc83a68364c6d2663f5a22ddd5

SHA1
fea20104b0fd914f5af0301dba3f9e9c51682781

SHA256
9a2fe600d67070c69c71ae7df713d8c091b637d07e6322cb3134d28b92fa7008

SHA512
304d34df63fd8015cbbc38b498882061790e8b273d568ca6985cec41463671508a55888efe70e7d66e702bc483031adad8e4135957aca13f7d57766ff9e41da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp116F.tmp.exe

Filesize
12KB

MD5
33473b051aab5863ad6395115c2cc84a

SHA1
29e94bf19d316b785c3366056be83b369055cd34

SHA256
68de929025e1f84bef5c405b5809592c1b8c158f37deafa59f59afe183e0a55a

SHA512
e22523435475e1c1ea224d013d7b28756967b78d8a3bf7944e67ca90e0f94b0c801925f1b91bbf1e83831cc3130cfce2494c7085e33c7fec9a3682eab5de863a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DD72C622EA84EFBAE98197237306234.TMP

Filesize
1KB

MD5
f29bb72cb7d21287b7064aa68c03a50a

SHA1
3cc1faf7d6467c6c8a0b461b91089d5b65b5337c

SHA256
83b38a608771d2d152126ade186c03b587d60875925d18c0a45b46fcfb33c14d

SHA512
eabbe8532c0388f661a5385a52634b7c77bb02a72c3909925700f474a12b9fbbf61ab6bba8531d17f2d7e0de797ae9fc4161bd3f29d50798e1f68cb9b72f6b11

Download Submit
memory/2228-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x00000000010D0000-0x00000000010DA000-memory.dmp

Filesize
40KB

Download
memory/2228-7-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-24-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-23-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing