d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642

General

Target

d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe
Size

12KB
MD5

a05fe512d7dd4a78269ac0794579d268
SHA1

88fc4d464c5260f01ecaa8ab2f52b63d008fd806
SHA256

d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642
SHA512

c3c1f40dad28e734dc114668d190a8a75c6c25969a3975edff13d872643813c5bff05f0aaef05599828a592c4a2c4bb7396e0e02fe5f13f6c53440edbf09f99a
SSDEEP

384:jL7li/2zwq2DcEQvdhcJKLTp/NK9xad+:nMM/Q9cd+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	tmp1A84.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	tmp1A84.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2968	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	28
PID 1108 wrote to memory of 2968	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	28
PID 1108 wrote to memory of 2968	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	28
PID 1108 wrote to memory of 2968	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	28
PID 2968 wrote to memory of 2144	2968	vbc.exe	30
PID 2968 wrote to memory of 2144	2968	vbc.exe	30
PID 2968 wrote to memory of 2144	2968	vbc.exe	30
PID 2968 wrote to memory of 2144	2968	vbc.exe	30
PID 1108 wrote to memory of 2648	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	31
PID 1108 wrote to memory of 2648	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	31
PID 1108 wrote to memory of 2648	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	31
PID 1108 wrote to memory of 2648	1108	d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe	31

C:\Users\Admin\AppData\Local\Temp\d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe
"C:\Users\Admin\AppData\Local\Temp\d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b1omi1fy\b1omi1fy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED7C1D4BDFF04A688CAE18B2D39BBEE.TMP"
    3⤵
    PID:2144
- C:\Users\Admin\AppData\Local\Temp\tmp1A84.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1A84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d2e2e8fcae28c5b314e1866fd16818a3dae0dc52fa2728187697e14293937642.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5dfc37b205a298c58e349237ed211292

SHA1
b5308c4e4869ff842b53cff9d61ec88f7c9d7528

SHA256
74464c8426101e00003b30fe1117df951e90d389621a7ec24318d7281ebcecc9

SHA512
e81cd50f3ce7b85be7bcfc55ede0225b3ddd038cff65948cc1b37ac292861bbc0b3b874f0396aa4326396978b371a3d511fb21f68f016f727dd0858632328690

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E4A.tmp

Filesize
1KB

MD5
74064491358ac80b661d6048cee5e661

SHA1
e0de356c3558c0169d29f9df6224c3aa903195d1

SHA256
f9e8393149360adda343f470562b58dec213e43ff6ba286fcacc6631d85a4320

SHA512
7d3afd19563b9a756343b1ffc7b90fa451c43530f9a3796d23be0400912bc904e40d46aa0157a15d777d8064b43ae369ec59629d09f1f6b4a80c8b240369b49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1omi1fy\b1omi1fy.0.vb

Filesize
2KB

MD5
96c1b0b9b6854affd216226bffd06aae

SHA1
dbce2f2c19ca1855e112d2832ff2e364fc8522b2

SHA256
026ad014b1c9fd58b8ea579269a1c4c40d56b8280fec382eb43f105d4fea6af7

SHA512
5ebc3ae93f6b201738c21c9d895fdcae634567cca1b3d81f4d32bdc839acaa9bfab14684ba468050a48fa8ba6fbbcaf8cd65cf6481ad499b502de369cff0d259

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1omi1fy\b1omi1fy.cmdline

Filesize
273B

MD5
84d2e1f855fbe4eefc41098922165b59

SHA1
be3947cfc0128095138cc7a51bba82ce8bb71465

SHA256
3dbf3a0e71cb97ac3ca5d0ca4d3e96c76516b0a7d46981c2882730cbe50dc734

SHA512
eedc944a5db177a9e624fe00a68b6fae8ee655b3454acc830dab1d29cbb3c0b235171f8aa73f2caaf36cdecb1e677370200cc43757ddaf9a7a2dff1e3d7b8a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A84.tmp.exe

Filesize
12KB

MD5
9824aed5280be55887aed897ad4134c4

SHA1
9730929e443465102695cc3f380d652cf194f821

SHA256
2532cde0773e41d9cc18fa0122d5c530030e80735de1299cdf730baa941e62b8

SHA512
b24b5943a1a73bdd22abeb52760de53ebc02fb08551a199add3828af408d7a2040e6cccbc39915e511fea0c2df82f5bd5b5041d81086bf2f820c32633266b68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED7C1D4BDFF04A688CAE18B2D39BBEE.TMP

Filesize
1KB

MD5
f526ea00335c9cd370d6bc5d4e6e9944

SHA1
0d0758abb7f0cccf543f60cd49c6e68355def11a

SHA256
fe6cf65d78b58ee781e4897137aca45092da3b36bd4d1fb8657a1cb62ef2d479

SHA512
37b525a34b4f35a831a08f03cf717ef96f6fb72b2f8438fc034842b30979659199680e4d45a322bf93a7ae15daf31fd21635436f6c8565682f94b631b13842d2

Download Submit
memory/1108-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/1108-1-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1108-7-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1108-24-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-23-0x0000000001300000-0x000000000130A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing