0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c

General

Target

0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe
Size

12KB
MD5

919f0e3ff71c2430e4b68db688a7b14b
SHA1

8cacbce2efb05425ee92b2d181915846f90da68d
SHA256

0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c
SHA512

bcaf650a1e8887437dd264ba6bd65081b3571a099920761b11166cedeab3be93c0cea04186adcf671b7e314399a72110c1bdb583c8c1c2b5021c8882333d657e
SSDEEP

384:1L7li/2zQq2DcEQvdQcJKLTp/NK9xaqq:VkMCQ9cqq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	tmp200F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	tmp200F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3052	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	28
PID 2176 wrote to memory of 3052	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	28
PID 2176 wrote to memory of 3052	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	28
PID 2176 wrote to memory of 3052	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	28
PID 3052 wrote to memory of 2076	3052	vbc.exe	30
PID 3052 wrote to memory of 2076	3052	vbc.exe	30
PID 3052 wrote to memory of 2076	3052	vbc.exe	30
PID 3052 wrote to memory of 2076	3052	vbc.exe	30
PID 2176 wrote to memory of 2776	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	31
PID 2176 wrote to memory of 2776	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	31
PID 2176 wrote to memory of 2776	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	31
PID 2176 wrote to memory of 2776	2176	0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe	31

C:\Users\Admin\AppData\Local\Temp\0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe
"C:\Users\Admin\AppData\Local\Temp\0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yljjhoj0\yljjhoj0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB31CDEAF91144AE79CC181E1DAFBCADF.TMP"
    3⤵
    PID:2076
- C:\Users\Admin\AppData\Local\Temp\tmp200F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp200F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0790c33b61106951e47322d6ab67edc45c40bd2155595533abe4bc81a4b5014c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f753faeeeb355bca91276c02c79709ec

SHA1
cfcca7f05cf1bbfa046291bc7df9ac1cd62d254e

SHA256
fd13d9fcaa027c08045f290e28eb9bae28b90ce14b1a106a890e6fb3c9273a0e

SHA512
54cbec27d2009e003b788ab32f3afeb38554ae9d135404a1e6096bf2ac7063b04350e3fb72d7af0d153bb3eb9d7eb451d94e512cdf7e181e424570d5da351cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21F2.tmp

Filesize
1KB

MD5
98a71483be9ecc01a3200ca45e2bd6cc

SHA1
c1470360611fca71f84d25a4efdfe244602c3e33

SHA256
8fffa4c2c1b7ec746f1b3c8b68087d6be7c658b2dc31a0741ff4247214634f38

SHA512
ada0a6c9f2d99063ec347251aebd32ffb98362d487ee6afcd65d30cfe31480d5bd6bad525a849e5d8ca74da7a59f87b8ea9f16de7cd37382c43126e823c4bdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp200F.tmp.exe

Filesize
12KB

MD5
7f2f5e90e98857d5b68d2d6d1a9c1a58

SHA1
09686882cbebe5c4ce159452dcf63fb3c88034bd

SHA256
293b3de7878397c48de0298f5ea5879eaeb6a0197aca0e057612ff2131123e11

SHA512
82fc875c58fb23418cca0326ec7289750a22c6b44d46ef4c0b3cc0c60c5ba8d4c3c168a5e575e8ee69e96779c5bc332dec25bcbcfc4722b56b49531bfe8194e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB31CDEAF91144AE79CC181E1DAFBCADF.TMP

Filesize
1KB

MD5
df48bb5fec8ac129fa7bf62600780e5c

SHA1
f093e29eea22fd58b7856d0a0fe3a02c1344d0ac

SHA256
50cbf69264b0a9aabe685a53e94424cd08050068826e1dcb9704eac97c55ff65

SHA512
641b914675f0bfa3af179e67d33d2a87525a19977cdbf66de8f260cd695750d5cb00bb90d97d3d43f32684e5aa1dbde898407dcb429436e73aeb3051e6797e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\yljjhoj0\yljjhoj0.0.vb

Filesize
2KB

MD5
89705a7e71e243887431b1151862bd47

SHA1
b0f008b90a99ba3eefe09f0a1f8650d7f7edad9d

SHA256
c2d579d44085a1f3b726a136e58749008f3a0d02848852fd9ac088bf4f78bfd5

SHA512
7c229a42b2cec8db5438119edc332d800edd740fdd7f69ab88b6da538dc0b7012cf77aad36ab0c74e6c91ee15736f79edf8c69b31d576cea0519c6d4ec453c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\yljjhoj0\yljjhoj0.cmdline

Filesize
273B

MD5
0a14e75ec765dc5eb5dbf8b6a91736bc

SHA1
1dbeb51d5464f1c3523ca26c38a93a84bd5b9e41

SHA256
0ce8a5df4492771205ca2a314d505dcbe12c9ab2f7aea85df530ccd14a140eed

SHA512
d35df8e87ab43c40fa6c140deeb7abc4b93c5774f34318efac031ed6047d76a477f6b4c647536e47a5f7a0af0574c68b57d380be498edaa5075d3a323d39b1ab

Download Submit
memory/2176-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2176-7-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2176-23-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-24-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing