156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6

General

Target

156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe
Size

12KB
MD5

0f7455444721bf52547e4070f54b8445
SHA1

d7b7612e820d2c48b86bcc3527c2928357bf881e
SHA256

156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6
SHA512

da3283394e6eaeda375ca271f5b3b81822055e6bf2aa4737d87489f0af07efd368b33962b383e8134d3581ef868b9aa944a6d4e26a46a7609314c219f86ef366
SSDEEP

384:6L7li/2zfq2DcEQvdhcJKLTp/NK9xaW2r:krM/Q9c1r

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	tmp1CE4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	tmp1CE4.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3020	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	28
PID 2144 wrote to memory of 3020	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	28
PID 2144 wrote to memory of 3020	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	28
PID 2144 wrote to memory of 3020	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	28
PID 3020 wrote to memory of 2564	3020	vbc.exe	30
PID 3020 wrote to memory of 2564	3020	vbc.exe	30
PID 3020 wrote to memory of 2564	3020	vbc.exe	30
PID 3020 wrote to memory of 2564	3020	vbc.exe	30
PID 2144 wrote to memory of 2572	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	31
PID 2144 wrote to memory of 2572	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	31
PID 2144 wrote to memory of 2572	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	31
PID 2144 wrote to memory of 2572	2144	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	31

C:\Users\Admin\AppData\Local\Temp\156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe
"C:\Users\Admin\AppData\Local\Temp\156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brfhzkd3\brfhzkd3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95D6FCAEB7E6495C9310AC90AD7952F.TMP"
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\tmp1CE4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1CE4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9e9cdbee36c64c74d4902a58a4aafbe6

SHA1
08a50e2077ee3cd8658a537e5afee8d9cdae75d7

SHA256
40373a534b91478adeb58481ddff312d5f1b72f0c5c9f35721b79afeaf012e1f

SHA512
55d84a5ef92bc0790fb6da475a2bab439df8619cd45443db814f6f261350e46a71ddf4f9cd3a7541057ef33c489776b57dd319bfd774a010d02e06840a30f9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DBE.tmp

Filesize
1KB

MD5
91c0d2ca2a5c9b7ab1103b91fbb335b5

SHA1
77519b4e57a0e4c236eb41c653bc1cdd62734183

SHA256
e1672f973512059be9a8ee75042b89da2f8cb00ea4c55260ae0a558a022ee94c

SHA512
2ded51d5e0134eaaae9a2a3f676135fe5e7b9db075a7b3a5ba0c75d2dd87694d56a913dde90d02c30e23f50638cbf3d8c92dd81dab63b5861d10352e244d9c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\brfhzkd3\brfhzkd3.0.vb

Filesize
2KB

MD5
91bd59587bf25271221af97fc25e3708

SHA1
cbc794aa79954727fb2fa57d46675064243e8f33

SHA256
7b9a7796d534c9afa5c76e422a565dc913673e4fe35f30341eadb1ecbcff07da

SHA512
55f963e0a5733aab94f5bec15d116c93593189d1c0540ff893ce46c136acd6c7e8db3972ac1a9539ced45ba67359ed67ccdeb33615479b7eda05bc73cbaa4159

Download Submit
C:\Users\Admin\AppData\Local\Temp\brfhzkd3\brfhzkd3.cmdline

Filesize
273B

MD5
e72e0b941b61fdc0c271a5ca35a090ab

SHA1
2c1b5aa3682ce52fd92d94e919acf2f624ca740f

SHA256
2da312cf871d7c4b1eb2844c637957a2b0522f0c8941159cda920db7f47929d6

SHA512
017cca32b2a347bc20d7374aa1157a448b1a31422ba33bff3353cf0e981d35a4be53d34ba8c564e42fd2d464193fc9d8886e42590d4a767fa28e684fdfeb8875

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CE4.tmp.exe

Filesize
12KB

MD5
e2d562082178d22ca064666ab00fe22c

SHA1
2cf6f71eb810e7eb00853239b6b0cbeed56250db

SHA256
de9dd161816a53633a54b1920b94a335c93a89bf712888aceab4fe06dcf29e4d

SHA512
765706e923cde9ed5ca005d576c5665e48d60ef93f4f530cde5b8eb2f5ed82c82eeb2ddb96773271754119c17344e39cd75db1dc300f05b5649b7d3ab89ef2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc95D6FCAEB7E6495C9310AC90AD7952F.TMP

Filesize
1KB

MD5
f7cb1bd4282c722421a575eb5eb0ccea

SHA1
95341126457aa61a3510a1261f920a310b781b22

SHA256
fe7443b8d71909145d723c18551a558ef3ff99017e78651b7bdb41aba2cd145e

SHA512
368ba332f4c2dfb6bddf7dc407a2fa94a0143cdd01e20016c3119ba084d5ebfb659db0d47160affacff8f6ae4cdfe06392ff18e88850eb76532aef65c53757fc

Download Submit
memory/2144-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2144-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/2144-7-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-24-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-23-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing