63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844

General

Target

63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe
Size

12KB
MD5

2ef567d192c69c37dafe905cf10e1357
SHA1

c16b170c3c2fda87ffde1f810f368f06d531240b
SHA256

63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844
SHA512

3859862d466716a4e43a498e9f92075b1447a5accec52707202a1a3e3839fdcfa211ec96617356eb4936e83931d4f38a70edf90e30f471b44aae9fa95cf75da1
SSDEEP

384:wL7li/2zWq2DcEQvdhcJKLTp/NK9xauc:ueM/Q9cuc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	tmp1CA6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	tmp1CA6.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2996	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	28
PID 2256 wrote to memory of 2996	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	28
PID 2256 wrote to memory of 2996	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	28
PID 2256 wrote to memory of 2996	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	28
PID 2996 wrote to memory of 2556	2996	vbc.exe	30
PID 2996 wrote to memory of 2556	2996	vbc.exe	30
PID 2996 wrote to memory of 2556	2996	vbc.exe	30
PID 2996 wrote to memory of 2556	2996	vbc.exe	30
PID 2256 wrote to memory of 2520	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	31
PID 2256 wrote to memory of 2520	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	31
PID 2256 wrote to memory of 2520	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	31
PID 2256 wrote to memory of 2520	2256	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	31

C:\Users\Admin\AppData\Local\Temp\63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe
"C:\Users\Admin\AppData\Local\Temp\63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zogt2tks\zogt2tks.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D8EC865A41044788AAEDEC722C87C65.TMP"
    3⤵
    PID:2556
- C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
507b7a3423d21c48cf075fe17e385256

SHA1
2fd8e4f388b1f2afe559e9bbb080e52abd946ac5

SHA256
efeccdd0122c3fc4cda7874a20c78e70135f35c476e3531ef746b01a7e722935

SHA512
23cf74478e267d2f975f6586468dc1492e10b51190ad80cb5fe7d7ee0836d77ed3f3a0b363fcd6679f3c829defd6bb6ced0fabbabd9145d55ff9b669efce85fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E5A.tmp

Filesize
1KB

MD5
7fa8aa867e97394b7c5223c9ae62897e

SHA1
8928e385ae8e4909c2ac76cc9425ad1853cb1025

SHA256
a50bdd742b8d19987ad926ab81ad43fd65034ce5db957cb2fb0b26da94210cd2

SHA512
ba00d0eab7bc97ab48c1144c9e1ef5f2a38fd6f7edefc7bf45081be6c2bbda84d4981469a910ef2b40c043885213a3d78e9ca5c3d6e9e1174ebe3caa8ed42f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe

Filesize
12KB

MD5
1c747079f46f9db676bb4b70f83bb171

SHA1
9168bd10a4fd027ae6982022344bbfe5d2d38a79

SHA256
6eef1fab95d428aa0be794a4cd001aba219939466d9d4ea53ddecf61a8fb40f0

SHA512
c887e4334f5f690a92fb1c2d5ca39de6a2e3e33251a682059e0f7461f03f923107e435b43e55e7282e87b5b54287413dc52f2eea3a2d76430f4452bef45d5330

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D8EC865A41044788AAEDEC722C87C65.TMP

Filesize
1KB

MD5
a6b9b06791b070fdf3da6223be70a469

SHA1
7270837960c1dd7a39c012bb9461782e6753c081

SHA256
f1e63b3d2587a4c3680a2c67ec7eaaba75dacac818547aa7a7518a53dbea754d

SHA512
722f96a34684bd75e8cea4bc696b703db9c176153bb2c48250ce648551f44ca1505a76e023b5b4f783c0d802dbba70916ca95b030694f9e0e035b97247ffe382

Download Submit
C:\Users\Admin\AppData\Local\Temp\zogt2tks\zogt2tks.0.vb

Filesize
2KB

MD5
0a0272f463e1edfa08a6cb20c2868c57

SHA1
0b6a78e086f65d05a59f203ffeae49b1f04eb870

SHA256
51b73e371321c2f70a871b54dd2e97be76cd7005427d9331cd9b43165c55a34f

SHA512
8520d68cdc5b54c913d45eb50a9d646837c435bdb4266b171f5b0bdc9a6da200d96522a01360532026cd00f8070b7d06d21a214d21ed698de73e27e6b4234ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zogt2tks\zogt2tks.cmdline

Filesize
273B

MD5
99c5aec38288fc99663e519d3a714194

SHA1
20189ccac6f4bd8b39ac12f37983a0ff3f5163e3

SHA256
ea145640e94bc75a9196a10b0c572fff439c30f005154e4e06412be18d9813cd

SHA512
f9060c2d94b9acad1220329a9e4a1e1b8bc02fe85b3552878d119816b5f022228502f83b167389c5d3c21e60e4a6a2bd5b220719c4c989b76c3a387c64e8c161

Download Submit
memory/2256-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/2256-7-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-24-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2520-23-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing