9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7

General

Target

9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe
Size

12KB
MD5

f19b5043646022bdf096f305a0c293e7
SHA1

83921c351085e177a1a33ba1aa786968cd5f6178
SHA256

9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7
SHA512

2e67ee3d90e97a16dbd4ff3bd0fdbea63d0ef78d8e06476a2ef4524934a7bc88b67da253e1fcf02d61801e0d4dd3c2fb51527ac1358e24ebc5e80a20ba0aa5a3
SSDEEP

384:TL7li/2zzq2DcEQvdhcJKLTp/NK9xart:3fM/Q9crt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	tmp1B6E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	tmp1B6E.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 868	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	28
PID 2232 wrote to memory of 868	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	28
PID 2232 wrote to memory of 868	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	28
PID 2232 wrote to memory of 868	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	28
PID 868 wrote to memory of 1172	868	vbc.exe	30
PID 868 wrote to memory of 1172	868	vbc.exe	30
PID 868 wrote to memory of 1172	868	vbc.exe	30
PID 868 wrote to memory of 1172	868	vbc.exe	30
PID 2232 wrote to memory of 2696	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	31
PID 2232 wrote to memory of 2696	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	31
PID 2232 wrote to memory of 2696	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	31
PID 2232 wrote to memory of 2696	2232	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	31

C:\Users\Admin\AppData\Local\Temp\9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe
"C:\Users\Admin\AppData\Local\Temp\9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yz3vzuxa\yz3vzuxa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F5B7708CA3F4D3AB8A9B0A1996EFABE.TMP"
    3⤵
    PID:1172
- C:\Users\Admin\AppData\Local\Temp\tmp1B6E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1B6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a97063714b84737fc77f6fce4ad4d3f7

SHA1
583584fdc0f722e9fcc26fed46ba75bb0fea1a74

SHA256
34df7c97d889d94d665cff8f1c4cae29aa3f2b9c19aca980a6aa06ce8fe5e182

SHA512
00581e4726f11a14f3a403060de2572cc3a75b03dd62d1a249d104b918368300026fb42b0d2c4b217c2199209002d14ba58fa493973876bb21ee9a1eb4a6084e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1CC4.tmp

Filesize
1KB

MD5
502b1e7cc7c143a3b137c5c4087a5c17

SHA1
ec75ed5b357b5afd0e4d07abf8e74d1da26db8d6

SHA256
ee3939df0a80df2fff70b716c44a435419cc54efc46563a4afa23855f97d2cbc

SHA512
4a795b9aa4b4b5515bddb110b2b6df4e89748fc1d16f6bc705057c76f9c6d1beec00c0f56bcff1e4ad27af98f6c9d3dd8e39e5bda931e2481f4e200ab1530540

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B6E.tmp.exe

Filesize
12KB

MD5
94b501ef754656ae25036e9e9ac515c8

SHA1
0edb33794ee8f62ef5faba0eaf3c2b20975e1c42

SHA256
f85e8235cb03fab530dc9364bb2e14dbeef198890ec4973447b6c4cb1134c27f

SHA512
d7428687b337b42460e4d227de4fd5e0f15b57eb8ccfcb244a9862449ae57ea6a7b626960c2ad50600e512f521d1cd6c866605f0593709cb4c775c2875de5d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4F5B7708CA3F4D3AB8A9B0A1996EFABE.TMP

Filesize
1KB

MD5
ceb49ec3e9ce6cef20ce87ab087c9cd7

SHA1
67846abbc6db4021ad7344fb773be03efa95837f

SHA256
dec92782ecc9b61b4dd4db8d3bf0ac8deb358973fa0442c4eee92e2a6ec73a3b

SHA512
3e6d9e1a2ba6e52bdab85d027c8b3fe4eeef2df9cd0d675f18eb388c52a3e3237945a47ba02a73488d2e1519a92596da2ad249769464444e761c4a38b12c3dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz3vzuxa\yz3vzuxa.0.vb

Filesize
2KB

MD5
8bdf955aa9328da5f8ee11272e7887eb

SHA1
71b8d962763de28244f72d83ceb576405a2fc4c1

SHA256
c73568bce98bdf7c0076bd05f7e0d09497d482d3260ea862b49d2d29904d5971

SHA512
18aa11eff803e8df84ee08aeba70524d084e07f1276beee96125c20fe3e2127c8cfb5336e6f9ddb04426c39c0d72a984e7d377a32465828a0d9ee3eaa0e16d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz3vzuxa\yz3vzuxa.cmdline

Filesize
273B

MD5
d821432fdd6fce3fb1221b8fb5245217

SHA1
47a35901cc351856256aabf90b8b393b813e3e69

SHA256
e47ed3a05cd33f076c4aa9f504b80e141a7b0b6bbae458ab8066c1db4cb98cc2

SHA512
04f49ee15af8cec14d42d056c0e77bbca02a6f62f3509faf7c0a7c11e5d72531d29070dda72f2a46d0b790ace4fdbcc48a97d8ec2c7a8f02140abf30d3a57e22

Download Submit
memory/2232-0-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/2232-7-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-24-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-23-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing