d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912

General

Target

d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe
Size

12KB
MD5

b8b66f027fe151bb2fafa2d1b5d35b28
SHA1

9eaaafb01b66f61258fe60bd17014da6f68df2e9
SHA256

d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912
SHA512

f6698e5192add624018b2a842e5a90d5e15f92d8c2659963622a97d79227e9f048f46fe1d681b47018eba6ea10cd763dc3812d10a895a345cc4352766a5b111a
SSDEEP

384:BL7li/2zMq2DcEQvdQcJKLTp/NK9xalW:hIMCQ9clW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	tmp1DFD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp1DFD.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1380	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	28
PID 1088 wrote to memory of 1380	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	28
PID 1088 wrote to memory of 1380	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	28
PID 1088 wrote to memory of 1380	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	28
PID 1380 wrote to memory of 2660	1380	vbc.exe	30
PID 1380 wrote to memory of 2660	1380	vbc.exe	30
PID 1380 wrote to memory of 2660	1380	vbc.exe	30
PID 1380 wrote to memory of 2660	1380	vbc.exe	30
PID 1088 wrote to memory of 2716	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	31
PID 1088 wrote to memory of 2716	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	31
PID 1088 wrote to memory of 2716	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	31
PID 1088 wrote to memory of 2716	1088	d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe	31

C:\Users\Admin\AppData\Local\Temp\d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe
"C:\Users\Admin\AppData\Local\Temp\d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxeqwxev\mxeqwxev.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA66A716A4A3A41B0B6B827342AF0D5B6.TMP"
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\tmp1DFD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1DFD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d52e76d6c0432370cfc989a8f291959de725148dcc63e03c174768f138241912.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8b6f431796d43893555c05eac89bb566

SHA1
cedd4313b54accc8c99be2086e092f72e79dade3

SHA256
ff18bf3e73e459c33cab6cede7f5a472fb1268e7a0aabf66f9ff5a0e310fd3a3

SHA512
f734affbf6f8d2a186ae1d9a33246ae85ef518a175d2c71db64fa8666efb16166b6a4d2aac2165b1b60496b831bc304f9653c5c231cc9e167a70cebec3cbc9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F92.tmp

Filesize
1KB

MD5
5a0a2f59e6215a8707fafcb934b3b721

SHA1
8b0eee60180c40160b90a2432758ab355722c59c

SHA256
2f915afbce2a03d3e222298156ebcbc7a45e76693dc2a4c2d83315833d3c9ba3

SHA512
f85005b006ff7a7f254a5bf6ac8c82b945b2195bb2836b3b1497ecca93590eaa12aa908a98b91e28bb5b524c6eacf38b6e4e10a4883cc6f7f0aba9ee73a589cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxeqwxev\mxeqwxev.0.vb

Filesize
2KB

MD5
b999b85db526c0bbd7302cfc3f685d9a

SHA1
91587b1c2c55b89bcc92bb601b87db9892987d8d

SHA256
b9636c7e8279e1559e6fbf9553ab4e42bba9c4350d858aa5c13596ca246c4b05

SHA512
20d7c80a003c9e457b1d759761ad3e5dd782681c30b061543cb7c8aac839d2ae40e8ac6473fa687e3d92800467152d964e96cb50f472a12016e1fb7a88056aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxeqwxev\mxeqwxev.cmdline

Filesize
273B

MD5
12e6404264d98d716121780e3d349a20

SHA1
9088c56f365dbe5345b535da98b37bfeeccd7366

SHA256
617b9e5765d044c81aa142a44d7fd12c7d44ab631fab1a704dd1fd854d063f5a

SHA512
e7739b7eaf16e45a72f240a8ca7dce2df66c788c1d19e50867545b7d46ccb10362ae256a42d52c98777ad81dc465a32124241c6cb2c9306d0e375a7263415c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DFD.tmp.exe

Filesize
12KB

MD5
fb1b9cb586fb10c700eb768a996f9220

SHA1
94deca9c02667001a44701b002222b45ccbf94e0

SHA256
c60d60e2dc2cdbaca21ac23b73729610549a0b904f041715eea6a79731978014

SHA512
4d3eddef74e3568d2248f39399d760b4e9dd62853435484ebc14907ee19f00f36bd5789e6bf555003e05f6273f778a76ac8e6452ab0fbfa000bbe4ef36c1020c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA66A716A4A3A41B0B6B827342AF0D5B6.TMP

Filesize
1KB

MD5
107cdc66b9e4006267b1d4417fe22279

SHA1
5158940f9d0ddc57f0982de9bcbc9e96053e01ee

SHA256
5a2d36ff819cdeb7ec086926b23a6c81fd9d903561fe8560e0eca62e44f39d3d

SHA512
1167c3e2fa89d98141372e994522aa03897135893ca57bdd9308b397de1ca032f40f9526ed48e58ea2275cba03259b18dd7e1f96c40fd2604b507a9946d95a6a

Download Submit
memory/1088-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/1088-1-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/1088-7-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-24-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-23-0x00000000011D0000-0x00000000011DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing