4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370

General

Target

4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe
Size

12KB
MD5

526d93228bbdb760912de9b95143da54
SHA1

4725c24164f54218ebc5a80b064f9119834c275c
SHA256

4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370
SHA512

ac17a3d402e1ce3289a482020a58c7c0bd6ab2bd8588639897b2f2cc1379048a619f20ae66121912f6f91985712390564d6ff35c5f9f56c48f1f1d6b8d71f740
SSDEEP

384:AL7li/2zKq2DcEQvdQcJKLTp/NK9xaHK:eyMCQ9cHK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	tmp24C1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	tmp24C1.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3052	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	28
PID 2988 wrote to memory of 3052	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	28
PID 2988 wrote to memory of 3052	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	28
PID 2988 wrote to memory of 3052	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	28
PID 3052 wrote to memory of 2652	3052	vbc.exe	30
PID 3052 wrote to memory of 2652	3052	vbc.exe	30
PID 3052 wrote to memory of 2652	3052	vbc.exe	30
PID 3052 wrote to memory of 2652	3052	vbc.exe	30
PID 2988 wrote to memory of 2676	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	31
PID 2988 wrote to memory of 2676	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	31
PID 2988 wrote to memory of 2676	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	31
PID 2988 wrote to memory of 2676	2988	4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe	31

C:\Users\Admin\AppData\Local\Temp\4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe
"C:\Users\Admin\AppData\Local\Temp\4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jdi5f5wl\jdi5f5wl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2694.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C191B1352BB447BB0DAD875B7D2FEA5.TMP"
    3⤵
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmp24C1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp24C1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bbbab2f9affc9cc6b7c961230f254f60cdb610fe23964290da6ac23ae24a370.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
716b3a6cc4be83f3e9b93a29b8971174

SHA1
cb4746d9bb779cfbc51af03550ab90eb1a839855

SHA256
d062360320e286487f9419ab278adb4fdefa9bfafc4b74356d5c8a59a3d3b160

SHA512
3e88f318f48edbb6316e8639b3d0727e66e3e8630eb89d4e7f2edb22765e054b4df05568365fb4879f98fde8cb5370541ab411a4f8af58d8dbf8c299539d637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2694.tmp

Filesize
1KB

MD5
2ba2869944ade723110cc195cb4ae07e

SHA1
e56e204fa7df128556db6ef07ea2f5780925dc0a

SHA256
2821fdd2726c38bf8be5e6f4ee80b93f09b3f182879213f1d20e19219e764cd4

SHA512
c1e4e4fd5a8ffa6c370503426b748621964058d39476afb61d935236fb13e1da0b21de7472668a5742caffa60a8943e0a494cb643867c3bcb465f0b0e638f632

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdi5f5wl\jdi5f5wl.0.vb

Filesize
2KB

MD5
189088dc382635c7cd1351b71a9e0bfb

SHA1
4f427a5b2231792562cbd4df45a5db6dac1f5c99

SHA256
af59014fe0e8ec7d6cdfdaa5fb8a9062fe341d01675f55abbbed0f0fcf68b4dc

SHA512
e57493f75a58cb00b2d63333cdfa67f8868c87dfc467d95104fafc57f0c1c890b59774d1922d13956e13ffeb1e150232440f1c67aae67d22cadc6a20d9bb6a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdi5f5wl\jdi5f5wl.cmdline

Filesize
273B

MD5
101b60b21a574396a9639501fffa527b

SHA1
3d70df965227338312215af0ff37cd8138542d00

SHA256
3c3c7db2297cbab3363c390cd9a32e8785317dc7b383f91de9462eed01669fb5

SHA512
dafba2e39918b804bdc5ab4472931192d015cba7396846a1e1496f1115b23c3218ddad7a85f3eab2b1fdfcbd2a3082efe6c477dd85f106638761534d1685d445

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24C1.tmp.exe

Filesize
12KB

MD5
930908a6abf0bfda2e3e4595ca594cf4

SHA1
60a4272617618dfd91d942e90d71325daef04aa8

SHA256
8ee86cf43e7a9f8e91325a3f18e6f434a65aecf047b5466b7bb6c7295a916d9b

SHA512
39cac8f2f25c639a93a58109ef36a595c1b1589505fe34b450b3bb7ec923376427e9245c5461a00a8c9fba4573a1c1d2850e1710f338ad34bf9dee163ca1ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8C191B1352BB447BB0DAD875B7D2FEA5.TMP

Filesize
1KB

MD5
b3ea1a217bdfb6d197559f60667ccd36

SHA1
42d3c91071915ecceb9e5c89f5d25c1719aaf4cc

SHA256
dbbda2b38c1c231966749ede04a9b79f5b8493bbd770c81d2c42cee57835d219

SHA512
38438e94a8f58e1a832b479b23aed8d77f8ea304a1ec86e139c1ceacf23e17759ab6603141b01cb8c7cc18d3262a74eb88f26169f8a0487553a24a1b28c39108

Download Submit
memory/2676-23-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/2988-0-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2988-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/2988-7-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-24-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing