7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e

General

Target

7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe
Size

12KB
MD5

89556e58c72182d7e7390a94c5380550
SHA1

e22d6a1daf4cea4fac7c4c47ec623f2ff339af5d
SHA256

7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e
SHA512

7072a1f20e3d2b09c6e66a7837b27f3e6394552a86feef5c9f5df2ceff11ef7925e1f243dd343ed6fe39f7829e5acb8b4eb1fae30ce1dbc96d5a86a90f91d74e
SSDEEP

384:TL7li/2zX8q2DcEQvdhcJKLTp/NK9xa+S:3r8M/Q9c+S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	tmpB57B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	tmpB57B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1884	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	28
PID 2008 wrote to memory of 1884	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	28
PID 2008 wrote to memory of 1884	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	28
PID 2008 wrote to memory of 1884	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	28
PID 1884 wrote to memory of 2884	1884	vbc.exe	30
PID 1884 wrote to memory of 2884	1884	vbc.exe	30
PID 1884 wrote to memory of 2884	1884	vbc.exe	30
PID 1884 wrote to memory of 2884	1884	vbc.exe	30
PID 2008 wrote to memory of 2888	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	31
PID 2008 wrote to memory of 2888	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	31
PID 2008 wrote to memory of 2888	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	31
PID 2008 wrote to memory of 2888	2008	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	31

C:\Users\Admin\AppData\Local\Temp\7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe
"C:\Users\Admin\AppData\Local\Temp\7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2xg4dovj\2xg4dovj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1A8D340C424BF0A45353722E957741.TMP"
    3⤵
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\tmpB57B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB57B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2xg4dovj\2xg4dovj.0.vb

Filesize
2KB

MD5
764b1132d4a84efaca99ba300b8d458c

SHA1
8dc0105492156e444497895e888d3701ee1e6474

SHA256
b0511343f51bdfd82c206877cd9b2041a1161b180b985aba5b83326c3050c60a

SHA512
f3b8e80bc70c7405564c41f0efa5a831f94ada7446defd40908a43b0ebc1b990db2e6669fa12f449bc766768eeccbc2b45c22684adf4ee003789200e41647a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2xg4dovj\2xg4dovj.cmdline

Filesize
273B

MD5
435d42dec45a50bae6be9e569229da08

SHA1
775affb6c8c4b6a6dcd6b5d5ec3b1df5c4dc08b5

SHA256
961b4ce78acf4ec4bfe6069d135a7a5b2dc3430102fb3fef1314ddb83fd43c44

SHA512
39476b222db5424d2322b9501d2be0e8429a245a8dd18b5b578292003e1ed48a683a8b0d2e45ccca22115308c33cb87e3fc220f8925800068d81a14decda7ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4ca1f6e1e9647f3562b6cb449b908833

SHA1
ea600b75999558a77cf44ff87a2edfd4951c5337

SHA256
2b7a4b6c527d495164c7f98e9c44146c66f68c254f38ef5ac3e16c8d328ac08d

SHA512
bd0065949750fcc863595e6daf02b52b52e8b292e638102592423753624b726c8b643a4f1bd6ff691e843e1580826af29314ad5005bf3d6e30ab2fe6d617f10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD95.tmp

Filesize
1KB

MD5
6d0f38ae04a7b3cb6425df30a6540f65

SHA1
960987725a5f3b0d9e9dcb4377be284e9ddea326

SHA256
c20a96ae4295c044236b6edcb3e1ef62222ea6cc1c0bd068e5145c65883059c7

SHA512
041062841e909f874f1e84f890fec8dfefdb15324e88cae0d9b06c864738d24af81a281504a86873ada17f9a59d21c9a33964e3f80a010db13c981439e53fb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB57B.tmp.exe

Filesize
12KB

MD5
4ebc3b4a80818d16bbc060aa256541f7

SHA1
3681ae44cd85c6477f6f7925b440489ef07615bf

SHA256
7bdaaf5d1ddaf62e6d297642ddbc052520f3f23c3d803553a687e20e12c87238

SHA512
b54d92be1acca5facb8dfd0997684c6cb105dc35abe31d96d5efa99446390d8d788953d0272a7c0f6be17f59176f34e078edd1293dc638f1d4f523e6db8e36f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1A8D340C424BF0A45353722E957741.TMP

Filesize
1KB

MD5
c2e0b0b8d839e53bc5d737e89e9bbfb7

SHA1
5aa2c6bf3e3b618f7a1990730ca3bd0f46fdc21f

SHA256
3e74149cb81c5909566524f4d11f37dbde1e67df354ffbb8604f8c13f4340c02

SHA512
156f883d132d6d07c469e5dec0c13ba656e341efeda53c05c2967924b1813e43e0de1dcc837fb492b51ec946f21ef1a4e74f53c4cbb07c09a52ae74f665fc888

Download Submit
memory/2008-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/2008-1-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2008-6-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-24-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-23-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing