1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44

General

Target

1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
Size

12KB
MD5

c078a412683a55a2fabfe7351daf5aef
SHA1

d5b864368e318aab0740e41384c82e37b5fc398c
SHA256

1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44
SHA512

7a0e29f72dab53f626a9feec6dc1474dc2225dde59d3c41fcd55ce9f07804ee0e18fc6cf366c54639a337fde78ed24aadf84fb5f780a70ef3bc81d5f1a09f664
SSDEEP

384:eL7li/2zbq2DcEQvdQcJKLTp/NK9xahW:IfMCQ9chW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2900	tmp2B65.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	tmp2B65.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2420	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	28
PID 3056 wrote to memory of 2420	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	28
PID 3056 wrote to memory of 2420	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	28
PID 3056 wrote to memory of 2420	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	28
PID 2420 wrote to memory of 2292	2420	vbc.exe	30
PID 2420 wrote to memory of 2292	2420	vbc.exe	30
PID 2420 wrote to memory of 2292	2420	vbc.exe	30
PID 2420 wrote to memory of 2292	2420	vbc.exe	30
PID 3056 wrote to memory of 2900	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	31
PID 3056 wrote to memory of 2900	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	31
PID 3056 wrote to memory of 2900	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	31
PID 3056 wrote to memory of 2900	3056	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	31

C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
"C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\430quyqr\430quyqr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E2CD95D590940589D90E1494668B7CB.TMP"
    3⤵
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\430quyqr\430quyqr.0.vb

Filesize
2KB

MD5
dc33e80a3a777c6747787ae44bf67456

SHA1
921489cfe33408b6ea09284765f9c161eb321541

SHA256
93a9d5527b695a7a3b13c5fac9a17beddce08907f41b3c5cb9d0517351c5658b

SHA512
1bdd72c5f229df503239b67ca61a393eabaf674eeb5601fb5a7dc0e38c28cac47ae1f66b809f8fbec955b17ef684bec974919e2605b1258ed92e67ed79d8c101

Download Submit
C:\Users\Admin\AppData\Local\Temp\430quyqr\430quyqr.cmdline

Filesize
273B

MD5
9b081dfb7b0133bfdad604e47b29d1b7

SHA1
65a73c00e3e2b3b42eef69025b73d175b52e1410

SHA256
fbb36d35e0a9f882a91d59d04cf634c5cbfe0c72a6484124d8eefc199003173a

SHA512
a7c763849d4d30e6af41a31661f28e94d9d12455e43c1fae690a875793c526c2b3b9902090cbab0d08caea577ae28a613eca6cb87e6adbe2c42b723bd1023293

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
71b7df11cb5d2142da017bd1c19f1910

SHA1
9f19afb7ddace40f88abdd6caba3c962cd55ace0

SHA256
533a7a2285c070e7f0d6b6231fa828140ef0659205ec287dd8300eb3cfcc06f7

SHA512
cde7bdc76393b8a0a0579268a661ea465f1f9e748a5535dbaa11d52fccc798c30e346021f26878b6102d56d0f4f4034c3ae2ff490b3df9bf70b7dd9c2e4658a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2CFA.tmp

Filesize
1KB

MD5
a0cabdcf77cd58c4ffad1026aa3f9f02

SHA1
d9dcdad95474aec9c26466ba1af88d38cf4169ad

SHA256
6767f59736618ea5f3390fe1980c28402c980bcfd786fcbf92dd5070c1c2ca83

SHA512
9f7e01c73788513a660989147d5b71bea1959fe0181d1fc7df56bde84ed3cb2e64687433120a83f713c5640b70152852152f15f5abae2e0bd3bccc2a58f60573

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.exe

Filesize
12KB

MD5
07492a8473f77f6fabe999c2dd1d8f81

SHA1
51070c54c31136f127c4d970b1b953e736289883

SHA256
4eef693ae6102ad6972fe708272f5000cfd98ae16faabf3573fd749e452943c6

SHA512
6c9d3992b2da1876b1ce64205db69a875a59bbcaa6702292cc2c5682331f7dec94791615997267d56afd4cb77c18d8a6de980f5e3ecc84459bb3c8fe4471cbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E2CD95D590940589D90E1494668B7CB.TMP

Filesize
1KB

MD5
cffd5634b7ec9fc53c76c84412afeb74

SHA1
8153fc498ad82b18ffa161fbbec63c808521d168

SHA256
a0deb12af8f638765ed11958e9e43270e94326da80841c33871bae1b24804dfc

SHA512
29bfebed17bcb2b8eb8f0bf5f85792351afc82aae7bee4c15d80f2c35961792a2c3d0b981811854fcc33e01151972a0e733b0649638ce39957b186e4aea1ee08

Download Submit
memory/2900-23-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/3056-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/3056-7-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-24-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing