74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a

General

Target

74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe
Size

12KB
MD5

6d17b1cabd907c24ae46bae2cf1e765a
SHA1

5f13ffa7f638de807194c7e1555c8daba30849a6
SHA256

74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a
SHA512

d97e7ef5cf79f031b1195bc76343069e93db1eb1ea0e5435999a694e9cd9bf357f877e57f6bc80b73fa4411e86610e633709cdce090ada451ce5f4550f677888
SSDEEP

384:FL7li/2zDq2DcEQvdQcJKLTp/NK9xaTZ:FXMCQ9cTZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	tmp259B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	tmp259B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2052	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	28
PID 2180 wrote to memory of 2052	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	28
PID 2180 wrote to memory of 2052	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	28
PID 2180 wrote to memory of 2052	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	28
PID 2052 wrote to memory of 2136	2052	vbc.exe	30
PID 2052 wrote to memory of 2136	2052	vbc.exe	30
PID 2052 wrote to memory of 2136	2052	vbc.exe	30
PID 2052 wrote to memory of 2136	2052	vbc.exe	30
PID 2180 wrote to memory of 2748	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	31
PID 2180 wrote to memory of 2748	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	31
PID 2180 wrote to memory of 2748	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	31
PID 2180 wrote to memory of 2748	2180	74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe	31

C:\Users\Admin\AppData\Local\Temp\74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe
"C:\Users\Admin\AppData\Local\Temp\74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c1tebu5s\c1tebu5s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2730.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87B4DD09424B49ACACF1AF398126D261.TMP"
    3⤵
    PID:2136
- C:\Users\Admin\AppData\Local\Temp\tmp259B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp259B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\74283de30f6de89b630b8f0230e3380b82c16dc143a2c93c2cf16aa6e1cf493a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0f70b8bedec2b2cf66f1595f6127a65a

SHA1
79b631f95d2c8578dee882b1ba70279424b6c74b

SHA256
886a60e684a0f2da10f0cb4e2103554c755755d65d7e3fa68c1cb9d96c0a6b60

SHA512
07d52cb41b3aa5d227c9c692a804ebae5be292b4137edb05ee6ffaa6c002c627a046c8a4ecf4a5df9c17f55c11c864b94f60b00e7ffffd49635329359fd20b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2730.tmp

Filesize
1KB

MD5
96ca344dfd3dd2a897da51e630dc4665

SHA1
16bf0cc28169588431b313eeb7691a0610559e67

SHA256
93b7169966706d2cc6adddbc020c7ce01b6810faa0e2f04e42543b2ad4a23174

SHA512
b6d09cda560ba019126dd4bb11d49b89beb95c0a149ce775f7a0cfd223098eaa7b94527c4013016c4cb293412d0890894298c0479b36dbae26b61a7f795caac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1tebu5s\c1tebu5s.0.vb

Filesize
2KB

MD5
b139963a27db4811c68a7a26b73c0e7e

SHA1
e0bcfb15e71abb3e243082fe8502c4f3ba24069f

SHA256
1dc3c90653a4beb73c27c58c0d84487eb6f4c92074e3043b4234607453582b4f

SHA512
0b19af71232df6985887d8cbc0507a16d0dad6f46c8350de4f568b552234a9fcdb84b5f26f4605e8f3290857097a9e5e60a8ccda830ef3ea5908d93a92718549

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1tebu5s\c1tebu5s.cmdline

Filesize
273B

MD5
7573c451af12fdd4857dd8ac692d1c88

SHA1
61a9f9d5978074a663a85d33011b99e59e587bdf

SHA256
c9dcf9bb9d67f12512a83f4c9c23b3f2441c6b7f30bd62006b40b6188838d2d7

SHA512
0e89dcdd982cc3476fdd618e695299840817fa413875d0874a2c1d82af221374d511a2dcf2c0a78843a9d7b37530873471717445d8dc1d9d2534d2ce47a1b325

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259B.tmp.exe

Filesize
12KB

MD5
943cb5a749b3a7e8611022890a2f8c6a

SHA1
394a1ead861cf72c98c04b721e9602edf3621acb

SHA256
76f317e81dcabf6e3fb6000e8fda88ab97f6464feb7f76f22ce1f87b70d111bf

SHA512
f258b18deb5cbebe65fec9b50505c0c3a56406bbf78eebab4a491d1f3d7459f25ec8a58c97cb46ea36c5bd26de4e1e598fdb964f762f561e7fbafc4a8468c983

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87B4DD09424B49ACACF1AF398126D261.TMP

Filesize
1KB

MD5
4c09f7233e56052d7e64ed7fd645ab20

SHA1
8b47e78079e8a62fe743b13c52e5de6fa8a9909d

SHA256
56e1496501f848df698fc2c6de31c6218e50f69a2c6d6a2d1e41ecbd940f539c

SHA512
c81eb8e3a27c4c9b70d6aa9a09c6cd5894fc41c7014564cb382b2f49fdc5dfefcb7c90d63e2eb46da85a0b0f9437d10f2a055d6f3f178aaa8990752b5b9b47bb

Download Submit
memory/2180-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download
memory/2180-7-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-23-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-24-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing