5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8

General

Target

5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe
Size

12KB
MD5

6f2dd2002e782c2d68f6641b8c15fc8b
SHA1

9e625352344c757a088045d0731e3ccd7c934271
SHA256

5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8
SHA512

d35a2c21cc42ad7f35bfd06b3b3e634955cccfbe985cd833294d8a1cffc927f013988ca9cb1825ea9e8c68be210e1ab29e4b132092d1d692c38f13dbbaacf1a4
SSDEEP

384:+L7li/2zWq2DcEQvdQcJKLTp/NK9xaLO:o+MCQ9cLO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	tmp2492.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	tmp2492.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1244	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	28
PID 2344 wrote to memory of 1244	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	28
PID 2344 wrote to memory of 1244	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	28
PID 2344 wrote to memory of 1244	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	28
PID 1244 wrote to memory of 2116	1244	vbc.exe	30
PID 1244 wrote to memory of 2116	1244	vbc.exe	30
PID 1244 wrote to memory of 2116	1244	vbc.exe	30
PID 1244 wrote to memory of 2116	1244	vbc.exe	30
PID 2344 wrote to memory of 2588	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	31
PID 2344 wrote to memory of 2588	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	31
PID 2344 wrote to memory of 2588	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	31
PID 2344 wrote to memory of 2588	2344	5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe	31

C:\Users\Admin\AppData\Local\Temp\5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe
"C:\Users\Admin\AppData\Local\Temp\5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3diyistw\3diyistw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2626.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8FAE0148A2C48EB9293A0C1A742C456.TMP"
    3⤵
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\tmp2492.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2492.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5c475cd898b4a61f7bd77e76b41e6bc3d61cf19eaab1bc4f945aaf706be455d8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3diyistw\3diyistw.0.vb

Filesize
2KB

MD5
96d85ba62108788298fcfbfc728e057f

SHA1
04b8419644a37635904aa173ca519b1e186bf30c

SHA256
fe5a73148c28ddb0e5fa812df006dc2c940463855c7680672d95c1db4c5a068e

SHA512
decdedad91986f966885651f7d4443a72e800c0b0a17fb7fbf938adf807274ef6687c6c68cf3d90c375c8172ecff6621803cfaadbfe87d144ec1ee2f3d5d6e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\3diyistw\3diyistw.cmdline

Filesize
273B

MD5
3cbd8bf2210faf49acfb7322daa4c983

SHA1
87ae5b66d9e660f9c6eded65386c07d9f7a15871

SHA256
d0ba6c5a0dd776297af898db46437f1e7ab5507ccdb6bf951c2e863411e22c09

SHA512
5fcffa659e616c91b0782607246536cc6cf4500f52921f424bab5840636b9232ffc88f1108e63d7ad854973d078ba02ce808253490c5a6951650e3196b799f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6ea4ffc9fe40b7fedd371a15b1763d9a

SHA1
760b93056e4ab3da2b0aff418f4fd337d614a30a

SHA256
1ca94f18a1bfe87b627d7b152c6976ba4bcac855661e8fb84b2a9e3a7924355e

SHA512
1e643e852abbf4f1fa5c41ceec1e998d449974213c9777a50a855c2f071ee8627dad0c94fefe8ab64b00bd8ec849ff1b2b3b3002026b5dea1014e74d62e41ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2626.tmp

Filesize
1KB

MD5
5c66a9be8e932eb54db1166a367d5128

SHA1
a9bbd92c6113ad9e091f803bc564529b148cc0d4

SHA256
4420a92ae8a3e7393bf2fa10cb1876c977f16a9ff2681d37fae7d7f9236763d4

SHA512
c27eefc295ac39684fcc9788b7da62ed400b1745577802a4c760686f75550bccb82a2278160d02653ae67127d2cbafff907e5819e1b7bfd4c62ddf8f0b770170

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2492.tmp.exe

Filesize
12KB

MD5
1f0057b3890702f7f898376bfd774c19

SHA1
acc457aa48cfa988ca46ebe9e60f3bea017e1ab3

SHA256
226373ca40902143e735d9aec928dd28e22d92e31697475b4bb62382127994a4

SHA512
0e3df78203bcf1ac8ce9fd41287bc7ea92bf64d17d3f8ea4cbd9dc7f8b191fd0a482590e396e1ee72114d9714d12ded379f60d05f0610da88d3cccb98f071580

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC8FAE0148A2C48EB9293A0C1A742C456.TMP

Filesize
1KB

MD5
e6760e6f392d3cd536a881d4737a8125

SHA1
25cab4f5ad08e3db77454063a9702ac790612c70

SHA256
4c143039408b22da477156a9a389e345faabcd40ca8d6f343bdb4789139b7dbe

SHA512
0645e125b42eeaf0bb84969043cd0a5b5b20914e1a34bb87497469bb3a341cc9287105ef5d4afc196a68d1140a538c91307d5e00843e74121247ae1cc51a1dfc

Download Submit
memory/2344-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2344-7-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2344-24-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-23-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing