e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab

General

Target

e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe
Size

12KB
MD5

84e2a24548d519d051a2e2fc84d8704f
SHA1

bbe1fd77b226c94f2c54c1049896587d25e95714
SHA256

e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab
SHA512

0d17d7221257599d720f973f8c892fdd0c40cb7c6de033ffa7c99e48939dc38f8d6d12c9a36825de2dfb70eb6b72d096d2a971f5e829c551169e1b70a4cfd8d4
SSDEEP

384:CL7li/2zWq2DcEQvdhcJKLTp/NK9xaPz:cWM/Q9cPz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	tmpC32.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	tmpC32.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2596	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	28
PID 2196 wrote to memory of 2596	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	28
PID 2196 wrote to memory of 2596	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	28
PID 2196 wrote to memory of 2596	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	28
PID 2596 wrote to memory of 2644	2596	vbc.exe	30
PID 2596 wrote to memory of 2644	2596	vbc.exe	30
PID 2596 wrote to memory of 2644	2596	vbc.exe	30
PID 2596 wrote to memory of 2644	2596	vbc.exe	30
PID 2196 wrote to memory of 2568	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	31
PID 2196 wrote to memory of 2568	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	31
PID 2196 wrote to memory of 2568	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	31
PID 2196 wrote to memory of 2568	2196	e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe	31

C:\Users\Admin\AppData\Local\Temp\e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe
"C:\Users\Admin\AppData\Local\Temp\e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yn5ck4hy\yn5ck4hy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB45432255C304992BFDF394DEB8C55.TMP"
    3⤵
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\tmpC32.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC32.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e7abf2293d3f0b2d6b23bf7086cb2fabe93ea2ec748feaa3d73012d44eada8ab.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6b7975128083d06aba9e5e4be43fc620

SHA1
75e025fd46c9d8f6ca7b5cd3107a6e9cd66c384c

SHA256
3f2c67ceff997342786cda2ee0b9d91b2bc26d3381d696d9036d786525cca3b8

SHA512
f6c78efb5bac51ed4bd5e421901744dd3de63031360f23d9c02406911ddf8ff9f971d0590ca0edb6e48d680f8050d9543041a32e4d218edc6b27da23d3308838

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3A.tmp

Filesize
1KB

MD5
045701cdccb1d79309c7249a889b5ba4

SHA1
f8fece0dce04eb02fdb8a28ace077d8d71eef6f5

SHA256
66ec276adb8d17c4b69845d8d2cd9777f2546a412d66eeb6422d55bcb08b1134

SHA512
8508e4c89e1f6d1211d1090d2e181618bab9e6c1ef1c639af5df1f01474a88c3151c61075b7bd09e2b5c7d5102313d041246bb548381515226a50e860eb91c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC32.tmp.exe

Filesize
12KB

MD5
48645235b349ffbdcb80cb6b7395f388

SHA1
4d45f802648cd8e4ee8335350a247510b27064d1

SHA256
7267a5f48c1b55ecba8f863e45e8d4092113b3bd82545a3e9cb2cf58e0972c3a

SHA512
55273ed29f8e9facc5fee1639dda360def94914159a92213ca70fa4a8861bfe6d3fdaecabe45a72113e6db41ddc2fa2bc3c0da5ee0ebcf18f2d622573d44eae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB45432255C304992BFDF394DEB8C55.TMP

Filesize
1KB

MD5
ac4c4e9aa4411a6e97655c6ca396cfac

SHA1
52b4a0aa94f86a3a3fd1f1c1d55277746763f6b3

SHA256
39f7663a2485115953776261dd7ae0eb7fea9192139d6f98e3fb4ee2d0d21cc5

SHA512
de7ee5e6badec76befe6e543e62b609629946bf26e76706ab9e25b626dea6faeb1160905a84e1675b9f69e355648060205c83a500a670d12df5f68b1eac68d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yn5ck4hy\yn5ck4hy.0.vb

Filesize
2KB

MD5
ed4906460bbe3354ae29525015656e7f

SHA1
d156de9915dcb8092de278d4191855b578404bc9

SHA256
3d8bbecaa07400966ec7f7a41e89d461194f8d0dc8f39ef84f71884fbdcab6d8

SHA512
ecccde337f69d833ad62a1c119f7ce05a7b59807ce33bb65ee16530a2aeb53806b45d89b73178292e9fbef42c3af2f0f965a9e0d12133c1bb4bcd79cebc94ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yn5ck4hy\yn5ck4hy.cmdline

Filesize
272B

MD5
7598202007bb619e54b7be624305dd83

SHA1
4aebf27d4ddbabbb4e83b2a77554772a41c4ecef

SHA256
7bd4a3b38e6cf54a2600f6ae47379ed1ee1f5761daef73acd29dbe91f162bf01

SHA512
e78dc71e95d62fcb64bbd42bca7e575fbd804b21a15499206c9df36a100cc2b3009486f047ff0848b6ead0f4f12517546a1eee671b834bf6fb56fd398da1d88c

Download Submit
memory/2196-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2196-7-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2196-24-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-23-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing