9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7

General

Target

9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe
Size

12KB
MD5

f19b5043646022bdf096f305a0c293e7
SHA1

83921c351085e177a1a33ba1aa786968cd5f6178
SHA256

9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7
SHA512

2e67ee3d90e97a16dbd4ff3bd0fdbea63d0ef78d8e06476a2ef4524934a7bc88b67da253e1fcf02d61801e0d4dd3c2fb51527ac1358e24ebc5e80a20ba0aa5a3
SSDEEP

384:TL7li/2zzq2DcEQvdhcJKLTp/NK9xart:3fM/Q9crt

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 884	4904	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	84
PID 4904 wrote to memory of 884	4904	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	84
PID 4904 wrote to memory of 884	4904	9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe	84
PID 884 wrote to memory of 4312	884	vbc.exe	86
PID 884 wrote to memory of 4312	884	vbc.exe	86
PID 884 wrote to memory of 4312	884	vbc.exe	86

C:\Users\Admin\AppData\Local\Temp\9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe
"C:\Users\Admin\AppData\Local\Temp\9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u1c0qj0f\u1c0qj0f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3076.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9162F0683F06406A96E73EB18AD15C33.TMP"
    3⤵
    PID:4312
- C:\Users\Admin\AppData\Local\Temp\tmp2F6D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2F6D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9546ab2c29d4ed4b9e8e1b42c59973145d739ae45ad2c217a3ec9920df52dac7.exe
  2⤵
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
354c1b2aae0400b406e7d69d49e84aa8

SHA1
b476c3dd22a25ace91f50050ab6eea86d986dbcb

SHA256
dc6b7b3476d4f9fc8228d33748cfbf8a8e49d3e5adb4d2033744fcbbc4949b30

SHA512
d2150c7d53c172840fb3def47173d88e703d7eb7591646a637d06fc2ae4815bd594a16f8f11907ce44f38ed0fc46d09d4cebe6f74d5065c3e4b42c021132e303

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3076.tmp

Filesize
1KB

MD5
b4df0a06124636ef4c21ddd42c3b4610

SHA1
583831206d2f1d524cea009b156a43504b405e62

SHA256
fa64e6673c12ca87cb444ff97ea7cb4751f51378a1dd1b771c32d1577ff20769

SHA512
bf901ee5fd202decf7c0670c45e419f95ed0d3840f5796b54e2ea50547317be97851b5d35041d510f230109fd352d11cc404f4e8aad78fc8f262dd4760bc3d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F6D.tmp.exe

Filesize
12KB

MD5
1012923da370f07802cb282fb4957a25

SHA1
545500ecb11de8c16be6072246ea010c5a9ebfdf

SHA256
24f1b15a6733a46535c9f013dc98f5ccfaa11fef1477e1badc129286a53e66a4

SHA512
a11ff0436b0768812a53290f81bfac361fd94ae31342cee48ff175362f9ce1345e56dbec3f9cde35412f215b8dffc2a53ff0ee5ecdd9914286daab2f99af5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1c0qj0f\u1c0qj0f.0.vb

Filesize
2KB

MD5
6448da591b353a05cc25fbb1c2c77a43

SHA1
1d829e38205db4ab64cf69cefbf0e195559cf2fc

SHA256
8d86ba09a45dfe9ab751e62c5dbc4451a738d925d86c16d672b19628cf9a42d6

SHA512
b339e0e7634b3d5e8f942d65b6b73c9eb8817993f00b641bcd777309649e37d92f297a27054561af5c40c9f8987733a108e2f0496f18068443d7da64b1d2f7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1c0qj0f\u1c0qj0f.cmdline

Filesize
273B

MD5
12c15901ff780385ad4270dc49d9d308

SHA1
7e2c537a395eb5923da9fb3922ae62b4c8afef3c

SHA256
530476c0034537971e5de16957e3bf3c1462e9c478e85d9d8ba84a541940ea1d

SHA512
bc0d28eafaab6e98c3142a4caf67b0deb9f2be4cec20c3beb16531fbba075b1ffbe497d54dc80a212893cde183bce787bec621639a00ec8a90eb450b6126100c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9162F0683F06406A96E73EB18AD15C33.TMP

Filesize
1KB

MD5
e846d7267f1e60efa602679f9435f202

SHA1
0524478696007766ed3c702c5cfa8f0b1cb64ce4

SHA256
18f621795579e40cdfd237aef6f9bd5ad154c2821587928c3e60823665ba9e2a

SHA512
d45c049af4cc30531e26f82b82dd71e3e3019d959e4e40b2e30e24ef8123ca9686445e728b6cec6bbf7b78e16abe74f01ee2b3f71e1f65a22ad9a33b43f903b7

Download Submit
memory/3316-25-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/3316-26-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/3316-27-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/3316-28-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/3316-30-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4904-8-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4904-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

Filesize
4KB

Download
memory/4904-24-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4904-2-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/4904-1-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing