781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f

General

Target

781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe
Size

12KB
MD5

d3aa7dd775bfae52e1534e44bcbba566
SHA1

b9efe441cbcac8708c117d824211a6c7be0283b5
SHA256

781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f
SHA512

55ec057d0346a606a28ac863a06d4d4a06cb892b1e613ffce490f88eddd9966d0253e1f96b1f4b2b68110954b827523744efbf90bc6bc37924a3170101ca92c3
SSDEEP

384:hL7li/2zPq2DcEQvdhcJKLTp/NK9xaxz:B7M/Q9cxz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	tmpFBB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	tmpFBB.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2376	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	28
PID 2744 wrote to memory of 2376	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	28
PID 2744 wrote to memory of 2376	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	28
PID 2744 wrote to memory of 2376	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	28
PID 2376 wrote to memory of 2620	2376	vbc.exe	30
PID 2376 wrote to memory of 2620	2376	vbc.exe	30
PID 2376 wrote to memory of 2620	2376	vbc.exe	30
PID 2376 wrote to memory of 2620	2376	vbc.exe	30
PID 2744 wrote to memory of 2680	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	31
PID 2744 wrote to memory of 2680	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	31
PID 2744 wrote to memory of 2680	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	31
PID 2744 wrote to memory of 2680	2744	781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe	31

C:\Users\Admin\AppData\Local\Temp\781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe
"C:\Users\Admin\AppData\Local\Temp\781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vboab4dg\vboab4dg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64A9378E8A0842549F8D21D957EFDA34.TMP"
    3⤵
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\781491c28cb3abb1252c9ea8290bdf0a0d33b3a30a30a1822dd4b2c0e5397d7f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ac6c0673ebaebb1c7827fd0f0cc929ef

SHA1
868e31597ff5eefb87e77470d91456dda7786a38

SHA256
efd884c02eaebc145c64b37826df09c9de808eab7d3edcc91e83f0c4e2ba9742

SHA512
24ddac0ea0918aba48e8305313f80e7cb20508918288890a797d4d0c811ab83da9eb325b2809a545470000b9bacd4ce203bc5353d5a24bb0ad7c870dd02ab4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10C3.tmp

Filesize
1KB

MD5
7e6d32f7948d9fc5c779aeaa5e4699b8

SHA1
85d5d73c6ee8c12dfcf87c3bf3924f5595ac90bf

SHA256
8f9eddd3b1980d9aceb924bf878699bb54ea802bed27523a4d6eceed67ece908

SHA512
219fdba80005132dee048580e947e8ed03f3911bcad98503fd25c23b086865f586b86f8f34165d4c5b3bfc5b526ea8964e0579a442697165da5893af55ca6c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe

Filesize
12KB

MD5
7f95c81f0389c8bb54878791b541428d

SHA1
261a1057e19145ebb78b121bc6d32d5d0b27fadc

SHA256
febfe439df6189a5630cc352e6cd8c8184a7792798065609d918d8e5e1ce9d1e

SHA512
83825a60cc9804c3d9e3eaef8533b6bfef7c635650a61535d7ebb3b94df07b72950bf856734c5f587033e00b0d55a2d8eb412e73ed1c93ef4004a1664df596a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64A9378E8A0842549F8D21D957EFDA34.TMP

Filesize
1KB

MD5
952229cd34be619f381e6e146f8cc0f0

SHA1
ea0fe02fd76a6c2b1036c302a56d3105d108fb66

SHA256
250c0f09ab905b122e7065352e526683622e12e7fe4e698cc3ba91397722d5ef

SHA512
6f5707b8a7decca9b6b78f032ab6ab80d82787fa457519abfaf1343c45eaa1db86ef079b6eb10241b4724d1cee321db8fd3dbcc56175ec13673a17dd44238dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vboab4dg\vboab4dg.0.vb

Filesize
2KB

MD5
afc03d66b8e41dc46e9df395efdd1eda

SHA1
dd9e5b5a502fba756a7e6631f0d09145031d4fcd

SHA256
1d4bdce518634a55140792ae304b2f45ea83bc1f4ad988ad7c701120da94c5b5

SHA512
a6c4bedc369df9631a82eca391639636c5a6fe2c58abd0150aa624a570be66a7cd23d4d61829996d2bc4521be376a1b5e1edb4fce6d309dd80f45c1ab3ed1d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vboab4dg\vboab4dg.cmdline

Filesize
272B

MD5
b24fa5012e47a162e90cfc806bb7cedc

SHA1
1ef46baedc199c60e809dd29fcf0f34dcff33043

SHA256
090532503e97541007647fa1490bd6d90524b6927d4d15139a7b8e3f5df51cd7

SHA512
60e4911d6ecd66f02fcf1abc22cdcc9b4e8598184ff536b89b082b8b26dec14742273b0387e6dd238bb8dd52f6d7b11d5aa9e2018833ed156d7fbae3dd8d40fe

Download Submit
memory/2680-23-0x0000000001270000-0x000000000127A000-memory.dmp

Filesize
40KB

Download
memory/2744-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/2744-1-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2744-7-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-24-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing