e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07

General

Target

e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe
Size

12KB
MD5

8a7c1e1475cad00573cf203438118820
SHA1

d67f8134e11d5e047be230004e3f25b6aa3c2315
SHA256

e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07
SHA512

c11802723730a9942c7e713ba678404c568f0f63e19adee312b37758388590f19732e4dbb68d239b30717dd7fb3ebc06a1ddea17b6d917e7a4ab584b4cf1221a
SSDEEP

384:+L7li/2z3q2DcEQvdQcJKLTp/NK9xaYy:oLMCQ9cYy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	tmp2BE2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	tmp2BE2.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2176	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	28
PID 2324 wrote to memory of 2176	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	28
PID 2324 wrote to memory of 2176	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	28
PID 2324 wrote to memory of 2176	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	28
PID 2176 wrote to memory of 2664	2176	vbc.exe	30
PID 2176 wrote to memory of 2664	2176	vbc.exe	30
PID 2176 wrote to memory of 2664	2176	vbc.exe	30
PID 2176 wrote to memory of 2664	2176	vbc.exe	30
PID 2324 wrote to memory of 2772	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	31
PID 2324 wrote to memory of 2772	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	31
PID 2324 wrote to memory of 2772	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	31
PID 2324 wrote to memory of 2772	2324	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	31

C:\Users\Admin\AppData\Local\Temp\e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe
"C:\Users\Admin\AppData\Local\Temp\e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omzrm2jz\omzrm2jz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7698AB9FEE89408D982FD08F57A87C3.TMP"
    3⤵
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\tmp2BE2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2BE2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4c7ed5e8d25b868e347aab0d14a73a71

SHA1
72acda4130483adaaeb370d0caea105f17bd46af

SHA256
f7ee904f6e2b94b2a6a54325f5adbf5d561c10a03b616988732ea3a54e53a057

SHA512
9fbcfce28ba1ae92ec64fb8d28cecc415580e534d8b878bdc8b8e3056ce64f2cf0201686b6479652b430c2828b3e7b24414a6fa13c0b39b40e7ecb962c7e330e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp

Filesize
1KB

MD5
77e4c11b2b375bf19676dc10ebfea0b8

SHA1
0b819d7a43f537f8f8f1d424e4eb2bb01592bfd1

SHA256
06370ddb131b4f2340b102bd7e1b89aad648ba96f536fa33c1eb7f0ed7811653

SHA512
2b6ed0417e77c2415772310f013bfcf2c6fd0e7ab14a3d5a15d56a82a961a7b76e7abccab09cd90ba5de998596c9289c066da7b066e7b74c844cb4279c97cf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\omzrm2jz\omzrm2jz.0.vb

Filesize
2KB

MD5
d7ee0368948fd0890d7fc1f21504a52f

SHA1
16fba447337e802175b82c19195d9e3ff5134d5b

SHA256
7a70867a0bd7571759a569d459560ab453c564684959f5648d012422db6ebce7

SHA512
cd2e9bf5ba05d04d496b573a2af1c2dc28ac347d8d9839d3db9877cab365fa7074df2cd2717462df7346a14c6522c09a9617ff03dd8cd3dc7930dfe4e0c77b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\omzrm2jz\omzrm2jz.cmdline

Filesize
273B

MD5
f7691f75bf31ed4bec08d436baee2b11

SHA1
41e374cf91da1c396f80d1f36cf112cec0c5f2bf

SHA256
0868fc4bdb92ae0890b0ba170ebc40b5312d8d3a3e36b821653dd1bbc5e29448

SHA512
9f1e527f798156475b793ecde1743e85187c6367e3beb963af782cb06ead4d7f74a78e22e9fa06e5202b027aa3876c14922402cacdf6d24583fefc2e4f1e5a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BE2.tmp.exe

Filesize
12KB

MD5
cae4b8f25acd8bd836740f51b8ef1702

SHA1
99bf7489a375e0c0104388bd909647c29f43685c

SHA256
3d25174a61fdc2e6b2a68e1e707459c88f520c67b51335dac6e038ac6a95069d

SHA512
a1f583e77676ac6729ae7d17ae08b72fc5e45bf7ebd10fe0b7bdc26d65473f44cc6f7976a0400e0963e513abea936607da609ebdf6990d02ae59138424ffc7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7698AB9FEE89408D982FD08F57A87C3.TMP

Filesize
1KB

MD5
2120cd57051c4123ffcdaa153915572b

SHA1
8e97a52431d01a1b82acd4b92e5c31f568141bc5

SHA256
0e0235d811704079f1d3a2d8cef7276a54cbe36e62d4efb5ce1d48bdd2872f7f

SHA512
3a9b66105dfe20b6a154ae4469a2f1c48adfa462f0127233290c9482c5eed5582c773b428c38bfcdd5aaf9a9cb23f3a8b5a350e3a67ab95771ab75a4e99c5078

Download Submit
memory/2324-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2324-7-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-23-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-24-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing