4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43

General

Target

4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
Size

12KB
MD5

cc36e5481ade2f8aff59cc64e1712bb5
SHA1

248e59954c144e31e22b6127890a04710a134718
SHA256

4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43
SHA512

c9ee4281d1ea247fd53a3736f57a331abc894d6a9b2ef03464968a8c6950146a36dab3a87bfc32848bede3f7e81dc7bd4415c54cefdb506eb998a39f42536145
SSDEEP

384:hL7li/2zAq2DcEQvdQcJKLTp/NK9xaMi:BMMCQ9cMi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	tmp1131.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp1131.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1708	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	28
PID 1612 wrote to memory of 1708	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	28
PID 1612 wrote to memory of 1708	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	28
PID 1612 wrote to memory of 1708	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	28
PID 1708 wrote to memory of 2656	1708	vbc.exe	30
PID 1708 wrote to memory of 2656	1708	vbc.exe	30
PID 1708 wrote to memory of 2656	1708	vbc.exe	30
PID 1708 wrote to memory of 2656	1708	vbc.exe	30
PID 1612 wrote to memory of 2716	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	31
PID 1612 wrote to memory of 2716	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	31
PID 1612 wrote to memory of 2716	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	31
PID 1612 wrote to memory of 2716	1612	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	31

C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
"C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\54yqlaai\54yqlaai.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1249.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F28A3BF3886438CB6FD7F406214ECB9.TMP"
    3⤵
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54yqlaai\54yqlaai.0.vb

Filesize
2KB

MD5
d51e021667c66e987040423d1a323eaa

SHA1
2e593d3a95589c71193a6c13de3d04011599843c

SHA256
a32014e2ee3b74090d370e29ff2a27285ca6e029120f1342d2103e7a58fe3eb4

SHA512
da888478ac388593d6d5c0fa6af90f37383cd60409465d8caed3c5700847c9b740f1458f13b2d249b609628be4e74c299237f8b7c5bd474569f08805a07ba393

Download Submit
C:\Users\Admin\AppData\Local\Temp\54yqlaai\54yqlaai.cmdline

Filesize
273B

MD5
6c268f6bebe2afcd98979fc981a87e1f

SHA1
92b75d430815f26d427e3a1f47b8b455166a8f31

SHA256
89bd2cd1d58f99e257244252c3ba01a6cfae29025aad4092a577badf9c8e01fd

SHA512
3aff0051d773e2cdc23662ad43ff8f7c87d9daf399bab40821a997939c3ca2aa1d1d4af138330d816db95a65bd000c12b57d41ae2c95c35e6645136eb303eac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f27d1542bb431d61eea6e879c70412e9

SHA1
7a5c90bdf70af80cba2045dc69b5cc3f1383342b

SHA256
ab72fd8e748d7695ce30527b1b441d822453bf71b668ecc757814eaa6698d10d

SHA512
7145f95853e96d588b8479344a4b2ce1546fa4b11647efdaf7c6d12a71d1b494425ec23e904db5eed25ff6055ec89107dd7eeab1406e0fd1c172c5c35d68a7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1249.tmp

Filesize
1KB

MD5
be3b76a91e5f97f4b6edc03bc4054c1d

SHA1
657393e654ee0858e836bddc4f5fde0095e01f79

SHA256
9c6a08e65378e505b69cd4404dbd4c7011576fe7c328317fc9b68562d0cc2085

SHA512
125056a5faa61fa732c5094d919aeb57afa541dfd86b790ce00c6aab3f9413bb9cf2c1cd8947a693f6a072292252307ac95478c2d4277054dfc507cc17a74617

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp.exe

Filesize
12KB

MD5
4f3ffd6935c5b1b1d5900c840871856f

SHA1
83d708f28814d6207b27a0c0e7ab2c63eb7345eb

SHA256
31c781ef4b45514a254488d47895c315b40cf380de5b25478aa5d69ecaff3e4c

SHA512
e12fa99c4317a17f7a10f1f127fefc7b64736011df1b8421501cc200a27b516baf10ce747acb936af31171230e6189adfcb602355eb1cd09c46b8079fa07ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F28A3BF3886438CB6FD7F406214ECB9.TMP

Filesize
1KB

MD5
aefd287c0630750d141bd8836436182d

SHA1
991156604154994dfdc95e7cfff34231b4e30e78

SHA256
1477b5dd4b0b760ade1f9398e47a1d789ece91b57dead111451bf4892a5329c1

SHA512
29682a61af0d61ce1bd2fe5340010c2fedb0d0a53cec7e107ff350608adf385a3593707411b6bf88d1c56d90508bc61d8405aaf29c68c8d674e36e10561a752c

Download Submit
memory/1612-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/1612-1-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/1612-7-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-24-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-23-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing