2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a

General

Target

2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe
Size

12KB
MD5

656b3d1ca72bf5fc3e1d51051240fc42
SHA1

c5010299b52fe066a6b7b844c84ececaae404315
SHA256

2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a
SHA512

d76dece5c175e75382083bb9896b3da22c6e4d26dfa9b0a5fdeafc66eaa022cb680eb3a91e57fddc87774e773f3e2f443a2ee9d9816a97d20e1ae26dfceff1d9
SSDEEP

384:iL7li/2zNq2DcEQvdhcJKLTp/NK9xauH:8dM/Q9cuH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	tmp1A93.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	tmp1A93.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2748	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	28
PID 2320 wrote to memory of 2748	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	28
PID 2320 wrote to memory of 2748	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	28
PID 2320 wrote to memory of 2748	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	28
PID 2748 wrote to memory of 2740	2748	vbc.exe	30
PID 2748 wrote to memory of 2740	2748	vbc.exe	30
PID 2748 wrote to memory of 2740	2748	vbc.exe	30
PID 2748 wrote to memory of 2740	2748	vbc.exe	30
PID 2320 wrote to memory of 2512	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	31
PID 2320 wrote to memory of 2512	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	31
PID 2320 wrote to memory of 2512	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	31
PID 2320 wrote to memory of 2512	2320	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	31

C:\Users\Admin\AppData\Local\Temp\2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe
"C:\Users\Admin\AppData\Local\Temp\2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\glfzcndc\glfzcndc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0C9535C1FC54E159047152287A01CA2.TMP"
    3⤵
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\tmp1A93.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1A93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
238e2091276a02dff53e84245f0a4ed0

SHA1
cf118098aa0fcbdb7b77256fd77f057ea6bd3c69

SHA256
3c0b79e94e3e69359ae7e291889bc4a95e1c3fc67671720334aa1f6f4f7bf6f6

SHA512
bc9f073d411a1b1727ebd9dd497f2af104b4398b6a1281b293451077f6be03e9aa35e28ce10c5ba7313d4f0d42d2d09fed10aad009a1b8b425b739c400c17f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B8C.tmp

Filesize
1KB

MD5
a2dc83d8d20a6f5578ad8e97599a45a5

SHA1
63b71a6e8ca4b5a623884ac68c1a1c18d48a7ab5

SHA256
f72a8d59b322b6634acfbf7af4c30a92057942ecd38380fdee89c2bcd63b3edd

SHA512
420bc3c6c3cbbffce746ea6906182706bfdd3a66b9e240f33b9ad4fc130e5d2f74effabb29a25160481ce504a5f36e57ca4fa7d6ff097f880c0aa2af90f7059a

Download Submit
C:\Users\Admin\AppData\Local\Temp\glfzcndc\glfzcndc.0.vb

Filesize
2KB

MD5
f548c782385b422c0671f1785310ce12

SHA1
03d31b97e263206d41399254a85c78b2980331d1

SHA256
78a3ee5a0ca9e7d56143e6af53df89713f8879539a24a71239821d6b97a6a2c4

SHA512
7e4dde9fbc73d239af2d4d03c78aacfcf28a4140b5b74456b536f17af86057c9e6a5f66601d55051cbb2cf56c591126b32a9a912949229cd4f3f89542e2ced04

Download Submit
C:\Users\Admin\AppData\Local\Temp\glfzcndc\glfzcndc.cmdline

Filesize
273B

MD5
3e7c2f9b5971dfba8be7cf5f0d1872ed

SHA1
b7ff3d42eb66c79a33c41b48cfd842e5358c65b4

SHA256
cafeb5dadeea07e7a28d5ea0edbbfdc9a9dc686d05c42baa43eb811427471ec2

SHA512
1fd613b1b2914d950ec0246b8bd84bacb62d8e93ef4b039e7c0da7ee84408373791622bda8f1641ac6693489e3cbd251a0971c5a3db864f280664672f57bb1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0C9535C1FC54E159047152287A01CA2.TMP

Filesize
1KB

MD5
e2da3e6f3d030c89f25bd3f5f838d864

SHA1
f9e43df6e998db9ccb138ca2314f70a98d7f0211

SHA256
fb421f71665b67318aa9d29fc539d2c057422e22001e1fe25f25444c3ef7cd99

SHA512
aa5c126eb3ebe1d0ceb987a01746b84a21dbdb8b24856a7431e2968a200b6d12506b5e91cb6d22166e47f32604d072465ecc39ff1950245499dcfe27455a67b6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1A93.tmp.exe

Filesize
12KB

MD5
a80975fbb6577caf8433cb7ebf8b6515

SHA1
f0f3a4085dc7d5be5f535559b988c09dff427321

SHA256
0b1b3bbf278c6a24cf145aa7ab994f4288b72615e5a85e127ff96d38a7d2bdc5

SHA512
20f4746380d04af7361a56d6d5fb94b1d820568b5ec924b603bc39947471445c047cafdf7b7b2459b2ca82fb21498a6ad8dc65d230c11c2d315b44fa4a257c04

Download Submit
memory/2320-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/2320-1-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/2320-7-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-24-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-23-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing