c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a

General

Target

c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe
Size

12KB
MD5

095954cfd117ed5067a0abdcd070a4cc
SHA1

c1443a42b640e4269f6d10f1c9e54128823482e0
SHA256

c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a
SHA512

c06800b9b67d1c1ddb3393dcb8602725380399449c897a7d1d5cb494959ef668a106d5efc86819afcfd15ea60841c8ea7a389193bc15019595f154fdf8def55c
SSDEEP

384:jL7li/2zUq2DcEQvdhcJKLTp/NK9xaUP:ngM/Q9cUP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	tmp27DC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	tmp27DC.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2340	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	28
PID 1444 wrote to memory of 2340	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	28
PID 1444 wrote to memory of 2340	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	28
PID 1444 wrote to memory of 2340	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	28
PID 2340 wrote to memory of 3032	2340	vbc.exe	30
PID 2340 wrote to memory of 3032	2340	vbc.exe	30
PID 2340 wrote to memory of 3032	2340	vbc.exe	30
PID 2340 wrote to memory of 3032	2340	vbc.exe	30
PID 1444 wrote to memory of 2640	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	31
PID 1444 wrote to memory of 2640	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	31
PID 1444 wrote to memory of 2640	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	31
PID 1444 wrote to memory of 2640	1444	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	31

C:\Users\Admin\AppData\Local\Temp\c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe
"C:\Users\Admin\AppData\Local\Temp\c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dvbl00b\1dvbl00b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A5B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE0A323DD74648B9B96D498BC4F25241.TMP"
    3⤵
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dvbl00b\1dvbl00b.0.vb

Filesize
2KB

MD5
ed4906460bbe3354ae29525015656e7f

SHA1
d156de9915dcb8092de278d4191855b578404bc9

SHA256
3d8bbecaa07400966ec7f7a41e89d461194f8d0dc8f39ef84f71884fbdcab6d8

SHA512
ecccde337f69d833ad62a1c119f7ce05a7b59807ce33bb65ee16530a2aeb53806b45d89b73178292e9fbef42c3af2f0f965a9e0d12133c1bb4bcd79cebc94ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dvbl00b\1dvbl00b.cmdline

Filesize
273B

MD5
90fd3080c7ba1a2eab6f54270d8814e5

SHA1
ac26c5400fc0bb75bbf2472e9a9e1f38981655c3

SHA256
299a95d80bb9ad505a75697ea90d1e8bb0729b527d1289b52384838b33c560fb

SHA512
d47d569a85fe6eb0f457250d4d8300357b14321b39368becfe79dc52f334fa8ece40c984483ea2b73fe01cabf9c90d17abb2628b9110c13de13ab7fedc245102

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6b7975128083d06aba9e5e4be43fc620

SHA1
75e025fd46c9d8f6ca7b5cd3107a6e9cd66c384c

SHA256
3f2c67ceff997342786cda2ee0b9d91b2bc26d3381d696d9036d786525cca3b8

SHA512
f6c78efb5bac51ed4bd5e421901744dd3de63031360f23d9c02406911ddf8ff9f971d0590ca0edb6e48d680f8050d9543041a32e4d218edc6b27da23d3308838

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A5B.tmp

Filesize
1KB

MD5
b49accfce784f84e5ab51f1b2ba4a252

SHA1
00a04df076cfd9d166a7f785637fbb61311e4aae

SHA256
0414750cafb15919bf91bf9d4867b22c0ca288ff66c8f5c3cf21308cce229103

SHA512
d427ce471d355cbaa284c8bd960f5f60ea06c6d3b0951c0cd44548d8c2b7d691087b7a3c568d734e152a78710cc776717d836267b9d57e62aca83ca39e2f8b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp.exe

Filesize
12KB

MD5
4675a46ed51ac4ff6f64db2ad88d1082

SHA1
36d4824bbe05a1816c0b5c842495c147765068dc

SHA256
33a8e5da58028cfcb8c4cb2acae13cac2595805080411ebbca83e0d520fc3e5a

SHA512
2d1b9d19834fb6eb8cdf72b9224576f3c03e72ff423cc2f5cf22c1faaea3f5cafe9027b7925865c7fc03835abec5203aea309ad7c12566c8ba344c6279c3cf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE0A323DD74648B9B96D498BC4F25241.TMP

Filesize
1KB

MD5
cdba1a66d55b620fdabdc53ef04a9e96

SHA1
05c259e16e07feec00951865e32e5080161009a9

SHA256
1b0dfcad51db8bfea0a556924861f0fe6e3b9fc9c0338665e1b5890bf3ae356b

SHA512
d15d560e7bb0b7cbb7c2c0e45ece4b77a29796f35adfbcfddf915fca85ed62f9b6d37b37e79f84d3375a2d7e0ea659c36d81f05893076963435b4a0a41b42e42

Download Submit
memory/1444-0-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/1444-1-0x00000000010F0000-0x00000000010FA000-memory.dmp

Filesize
40KB

Download
memory/1444-7-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1444-24-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2640-23-0x0000000001130000-0x000000000113A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing