43a9400c17da97216f3f6d6d25bc95f88b2475ac66e77e997a8e6305461a5791

General

Target

virussign.com_03206f41ddb43223ba8e00320115d450.exe
Size

12KB
MD5

03206f41ddb43223ba8e00320115d450
SHA1

731684351ae68f7abd5f3d0b7f6d5180c414982e
SHA256

43a9400c17da97216f3f6d6d25bc95f88b2475ac66e77e997a8e6305461a5791
SHA512

da3bc7fec9722fb8ddc3f385924948dd2a17bd34f43559b2d001ac6f7dd05928b09e6b2ff1389f302ca04eea1f05d3aa8da297df2cba590977702ad4fc88d9e1
SSDEEP

384:QL7li/2zuq2DcEQvdhcJKLTp/NK9xa3P:OmM/Q9c3P

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	tmp2E04.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	tmp2E04.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2884	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	28
PID 2732 wrote to memory of 2884	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	28
PID 2732 wrote to memory of 2884	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	28
PID 2732 wrote to memory of 2884	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	28
PID 2884 wrote to memory of 2544	2884	vbc.exe	30
PID 2884 wrote to memory of 2544	2884	vbc.exe	30
PID 2884 wrote to memory of 2544	2884	vbc.exe	30
PID 2884 wrote to memory of 2544	2884	vbc.exe	30
PID 2732 wrote to memory of 2652	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	31
PID 2732 wrote to memory of 2652	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	31
PID 2732 wrote to memory of 2652	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	31
PID 2732 wrote to memory of 2652	2732	virussign.com_03206f41ddb43223ba8e00320115d450.exe	31

C:\Users\Admin\AppData\Local\Temp\virussign.com_03206f41ddb43223ba8e00320115d450.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_03206f41ddb43223ba8e00320115d450.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4lmnhic\i4lmnhic.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3652784A3A6D4608A0C2F92AEA6C09D.TMP"
    3⤵
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp2E04.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2E04.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_03206f41ddb43223ba8e00320115d450.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0da6623e576193254e58434a9edd0c6e

SHA1
b5dbdde35bb55f3eaaa16b23f9674e8119772212

SHA256
ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3

SHA512
7cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2FB8.tmp

Filesize
1KB

MD5
d4cc2910b5c6faa4f6a44031942b02e3

SHA1
c4e8eb1509c4272dbceabfc99720589e27066e21

SHA256
3fda342ea5121732b46d0f7deda20e3136f4ad232ab148cf45a11ae6004e2b42

SHA512
27741a828781f7f7e7bb248a5719d758c3f9fd07b38268fd3159e1b901285fe450e323effa4972f65e470506ef0928a6659bd1dce3220b68f2287746c33fdc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4lmnhic\i4lmnhic.0.vb

Filesize
2KB

MD5
feea7bf0777d825ff6f463417ffe3118

SHA1
13b416c2bcaf75f47a53bdd01ef2b5bed716536c

SHA256
349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e

SHA512
420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4lmnhic\i4lmnhic.cmdline

Filesize
273B

MD5
7c39901f39c129630ded78a7cc294070

SHA1
fa70afa9445f24db98ad7225224b389705a0c3a8

SHA256
42af9c066d05ec7eb59ff0375d0c9a2b3cbd6d9932eb4684186402425ddac54c

SHA512
454aa8b365bea39b83888c2594a36bbd5ab00a169d70768bf5a01d76ddf938a8a801ea25610d129a4191b9857f80b167a93708962ffac305e6baa375f18cbd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E04.tmp.exe

Filesize
12KB

MD5
9a49bde6730e37ebf8353665b75b5049

SHA1
fe7b62dc3a6b15435c3550391ac44dae45ee1ebc

SHA256
ff423caa4341b47e8a0caf43f0af74c3d0cd0746283b60eb71fbcd7b0deeb5fa

SHA512
5fc5994d7679804ac16f322e9e633373e6a7431d9d4485d28c545e7781ff024c58ca4dd3859a6570260bd2291685a6220af09594c5dba35782890c65ec19dff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3652784A3A6D4608A0C2F92AEA6C09D.TMP

Filesize
1KB

MD5
f1c6c106a6d315ab51cceb34d8089259

SHA1
9f8ca5cd130df05b8974a61e2fe95d146f313a65

SHA256
4214e4789420f635ef8f9dde50bce4a6e8095aec182c1ee448a9b053bced91f1

SHA512
1e3f9aa068bb6840d71117ed03803ee5657869a611ce6b2ef419162967d4a7f0bfc0a8576e46314baa151aac1665417c08b32f180ee5bd57fb984f76e4e5ba59

Download Submit
memory/2652-24-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/2732-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2732-7-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-23-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing