69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248

General

Target

69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe
Size

12KB
MD5

8ab9b1e9df94436a1f1b4ffab326fbc4
SHA1

df6c481d09c93087fafab9e303c21242cb0b1a1e
SHA256

69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248
SHA512

d47f8ef31d2909004bab554be3f43a9e9631108f1284bd9502222770afc0e52abc2c1c3ec3a815de161f5e29c8e908ae4cacccd2b16730c12f79bfe2f004e61c
SSDEEP

384:UL7li/2z6q2DcEQvdhcJKLTp/NK9xadQ:CyM/Q9cdQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	tmp1C96.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	tmp1C96.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1672	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	28
PID 2076 wrote to memory of 1672	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	28
PID 2076 wrote to memory of 1672	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	28
PID 2076 wrote to memory of 1672	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	28
PID 1672 wrote to memory of 2596	1672	vbc.exe	30
PID 1672 wrote to memory of 2596	1672	vbc.exe	30
PID 1672 wrote to memory of 2596	1672	vbc.exe	30
PID 1672 wrote to memory of 2596	1672	vbc.exe	30
PID 2076 wrote to memory of 2724	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	31
PID 2076 wrote to memory of 2724	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	31
PID 2076 wrote to memory of 2724	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	31
PID 2076 wrote to memory of 2724	2076	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	31

C:\Users\Admin\AppData\Local\Temp\69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe
"C:\Users\Admin\AppData\Local\Temp\69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iy0qmkl3\iy0qmkl3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA043C1CF50E474996A78C51988218.TMP"
    3⤵
    PID:2596
- C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe" C:\Users\Admin\AppData\Local\Temp\69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
069a23830397ee4c65d5d7366ff9a7f7

SHA1
8cd7c0c14e755b3b813098daae8defbd277ad2d2

SHA256
3b95b36b51c5f58da97ee247c16963554f991688023da45f05cd725c140161e2

SHA512
50a82732f9a332ba3897f69617c0a5fa23b0c11101af43b5a6d2da3a03dd89ea3848611b5ed1b449ca1a1ed3c65babe3373c47559a2c7cb862d363a1fc2d4906

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D70.tmp

Filesize
1KB

MD5
fc55791d2b82bebbd5dc2173a25e7551

SHA1
14abd990c2ae41628c8219a9e74a26e9b53a0824

SHA256
a541ade24ae483177c3614b7e8bb83aa0d1c57cb8b46cf121452924c17a9fd83

SHA512
e4bcd2654aa4786a54ef8ae8402d08a195f2eaef1557a03c1d258ed3a06445515f131ec7aab715001a18ee26bd2faf6ab1416910959f504dd13a54bf9f54babb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iy0qmkl3\iy0qmkl3.0.vb

Filesize
2KB

MD5
b57d29692145efb9bdce0850ab2a0852

SHA1
b669c402dcf9d4aaae3bc67204621bffae208843

SHA256
59137547c54df20e53407b7d70abf722b3046e3d823cddc3b7750d62f0c133ae

SHA512
1052a50d939d6a5b875ded98af7057297480d4d73faed3f36256a07aecd20e2ce78c5b62f134d4b207ed7fdbc5788f9b8a4c7fa840f731da8e222774c1a1cd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\iy0qmkl3\iy0qmkl3.cmdline

Filesize
273B

MD5
dc5048a3a5859a2a86ede9d363fbebe5

SHA1
eed72014e702d046ccdbd54bebc2a94ee70b91d4

SHA256
faff1f6e8fbe7d27c9d71623a4ed8aade567d7f7f990eecd22da36310e4c2b19

SHA512
393d0eb1f9e35c6d054139da72fea1631e5a4d9ddf9230e54da957decb323981f97ea8ceaf7b789f96dd363a7606a982ce7a2e1fb7bc9cd286addbf07fcb8962

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C96.tmp.exe

Filesize
12KB

MD5
435eaa4736329f35d2ee73827a950905

SHA1
5f1622f45d79a3c043df6f78903f523d0e6050c0

SHA256
010060a20916de9345cb036928e7c979bf60cf5a6b2c48da598c2fc4abefa239

SHA512
a39762084737e23745d587f7a67ccf5d6c9d20d96effe1bf197e821d4b843d1c3979460065c9a429acf9981d5614c6d671d5b95cb534ce00aca13f107c8e26cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA043C1CF50E474996A78C51988218.TMP

Filesize
1KB

MD5
5bab6947c0a5d44162ca46938193b5ec

SHA1
af6bdd486a14cf45d72266378cbd28d0a2487ff1

SHA256
07c18bbf7c5683f88d6ad03f6f4fbe534614aef51ece97fa6f052eec09f87bfa

SHA512
db61a26f2e7fd15ca58ca2f67b9414742203ea0203b20dce7d5086d642e3177911da5c9c9fe15a4e89f86d5ac18ff2760e201415fb5c9bc0ace01fbb20b1d6f4

Download Submit
memory/2076-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2076-7-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-24-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2724-23-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing