da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8

General

Target

da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe
Size

12KB
MD5

9b0136f1799a7640067ba0796758fcf8
SHA1

cb4086bffb022966adfb7e84ffa6e309eebfcedd
SHA256

da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8
SHA512

d8d431eaba7c9c4d805a2305865eaaec1ad7ad699a4927937c3dc9cba5a00a0dc4179078f02f0fa469c8eacc648dec55f957fa83706887e2965126eef24c4655
SSDEEP

384:0L7li/2zqq2DcEQvdhcJKLTp/NK9xa1l:iyM/Q9c1l

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	tmp2000.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	tmp2000.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2924	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	29
PID 2140 wrote to memory of 2924	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	29
PID 2140 wrote to memory of 2924	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	29
PID 2140 wrote to memory of 2924	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	29
PID 2924 wrote to memory of 2996	2924	vbc.exe	31
PID 2924 wrote to memory of 2996	2924	vbc.exe	31
PID 2924 wrote to memory of 2996	2924	vbc.exe	31
PID 2924 wrote to memory of 2996	2924	vbc.exe	31
PID 2140 wrote to memory of 2664	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	32
PID 2140 wrote to memory of 2664	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	32
PID 2140 wrote to memory of 2664	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	32
PID 2140 wrote to memory of 2664	2140	da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe	32

C:\Users\Admin\AppData\Local\Temp\da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe
"C:\Users\Admin\AppData\Local\Temp\da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhxo33xk\bhxo33xk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5B461CC6A2D4790A4EC5ED5D728E5ED.TMP"
    3⤵
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe" C:\Users\Admin\AppData\Local\Temp\da8e6b59629bd9be040e80f4cebdf7a2c729362d7e116f4a757b7b752ebbc5a8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ac8b851ef8b0ec7664bd387faea83373

SHA1
38fdd49b7cc1afe9429ff078ffbd38feadf16063

SHA256
2e2fc845a35b69e0166a155f885c30a98fe21b05d3d543b2fb1a3ba7830d4a9e

SHA512
4c7eb282db3c387e1001ba542d4c38c92bb9260470db8497126e62e24b39c0c362feba7865ff64494e093391b8e0528d14ac93b021e60910508d591032ec7623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20E9.tmp

Filesize
1KB

MD5
9cf81c7c94853fc53ab8ad3d81b47436

SHA1
f148d1841b907868d08f03696bc6bcd507943725

SHA256
3e54d4fc54b8bdcdb56f09ffbf8666f83ff28794f98cd5bc989e8043c1f3f1af

SHA512
766a3ec68f81e860ceba09ce8c323c7255f03bba753e4753531c1007358668944899104309854c37ac8f90a37f4b15c8fe97c19ae17bb1d366477bdcd8ecd5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhxo33xk\bhxo33xk.0.vb

Filesize
2KB

MD5
a5442b9c08165666a1cf8ee3790ad0a2

SHA1
c33cfa1b97e6f0f21455882f73ecb38d9318a246

SHA256
dfa24b613b574698345085cbc65a0651268fb625cadeedc26cabff59da5f21b1

SHA512
5a092ac08c212a8dd46a8ec7ff03ee855f80c1522595d0c5aa4a69f0b8b1d20059eaf578dc09ee7157bc5f604aec0b557d4fad8d5e14fbc9f8af10952fe3873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhxo33xk\bhxo33xk.cmdline

Filesize
273B

MD5
2a2e2629e0c1d4ba107fa087481aff08

SHA1
da141b6440f575dd2d8a1f67492d233fe3f931f7

SHA256
30cbc0f1108a23229f388f7b08b694a76ba7549695dc5a98b89932c0bca1ade3

SHA512
3491076b64460dbae4d56dd24661235d68196ef5c586309355573db794a0bdc2eee788438e4c9730c129be8972f21972c56861f40e55c7e58cc5e3c213cd751c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe

Filesize
12KB

MD5
9d69e1e5d6d360c152e471717a120a6a

SHA1
4faf222a3f24815d09605873af3c68067a17697b

SHA256
2bc47f3a77dffef39aefd17e0580d17a1496a70b9b84ed9714317cf60c93a3b3

SHA512
973fee431b25d5691c090b2f37da4fb04dd2ce071268da4fb0414a557363442a9d3c816acb1b8ffb6cf81dcf888772acdbc40f0c545ada2ba0409c399402ffdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5B461CC6A2D4790A4EC5ED5D728E5ED.TMP

Filesize
1KB

MD5
8af80e4e6f47a59ed64371a04f6ff785

SHA1
50f014720497597ff960163bf64effa07668ad05

SHA256
7f445ae555fd697bcc312927d9c9f9daf0ce404e395ea94e5611fcd8180c7b88

SHA512
4ce523ce66cb6a64e0c3c6b048a7e30588abae1128eed8475bb3e5c14fe191b0deb08a9fb70c79b4b72f77a243529549c76ee317b6f4877115187d0dc1f60304

Download Submit
memory/2140-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x0000000001030000-0x000000000103A000-memory.dmp

Filesize
40KB

Download
memory/2140-7-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-24-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing