9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5

General

Target

9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe
Size

12KB
MD5

6ba9b792a4f0e82a42ebdc8433c8fd8a
SHA1

c9546c12e749f4b9fecee50b99ce87f0b2780f79
SHA256

9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5
SHA512

c59255550ccdd264ce96f892f616e2dc779a869a93de1ef9f880a05f09f529a2d5b8f8baa643b6af1925e5b0799dc713a51b244853b9b20bfd553e3988d92283
SSDEEP

384:uL7li/2z/q2DcEQvdhcJKLTp/NK9xaEw:4rM/Q9cEw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	tmp1871.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	tmp1871.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2648	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	28
PID 2868 wrote to memory of 2648	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	28
PID 2868 wrote to memory of 2648	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	28
PID 2868 wrote to memory of 2648	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	28
PID 2648 wrote to memory of 2672	2648	vbc.exe	30
PID 2648 wrote to memory of 2672	2648	vbc.exe	30
PID 2648 wrote to memory of 2672	2648	vbc.exe	30
PID 2648 wrote to memory of 2672	2648	vbc.exe	30
PID 2868 wrote to memory of 2564	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	31
PID 2868 wrote to memory of 2564	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	31
PID 2868 wrote to memory of 2564	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	31
PID 2868 wrote to memory of 2564	2868	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	31

C:\Users\Admin\AppData\Local\Temp\9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe
"C:\Users\Admin\AppData\Local\Temp\9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oo1medbl\oo1medbl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1999.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41C14AAE3354C27A61AB14DEDA9ADC.TMP"
    3⤵
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\tmp1871.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1871.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
cbf071c237bb95ceea72db230d4938d7

SHA1
f47549c57d5c8193b09319b1ee25691f3a68da32

SHA256
b65cc0883d3c543ed467d57291c532e175f0825fa07fe5ec6e1e21d76c406096

SHA512
8ba2be5169dc1889cdf27eed02dc52141df453e70a5662d70c860b700ff3af09bc43d86dd7e4c9d2c97a5fd0cc3ccaacee5518a51c28a2020984cfc262e235e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1999.tmp

Filesize
1KB

MD5
f49728d089d4f8fd8f9a0e73622880c7

SHA1
e02cb1b9145f185c59b12582f49fbb74912972b7

SHA256
17df8c85aba0f0c5d1800d0ba1bdfb50412450d5e0f478fa49ea66556a0e0443

SHA512
30ee86456d6c323b5abba22e1d1a8ade8e8cb3a25ed83b513b85e8c82c3461e40f80cbcf1c1bc06a08d495cc3d8eef83b666fdfcab67a88e7ec75abb3bb59503

Download Submit
C:\Users\Admin\AppData\Local\Temp\oo1medbl\oo1medbl.0.vb

Filesize
2KB

MD5
d5da15f65d0514a912292893efcb8453

SHA1
b8c8f6ceb7cf784dd2de943dbd48f60ee6204fa1

SHA256
78959b4abc05a539145110a07213d05bdae8cf1e2e1f3693499cf278d4401543

SHA512
d6b3a6997b4e44c5ec9f83327e893b83f175fddade5cc14ef457e8b64c91f4ac451777441468b48465f7f2cd1e4722d8993ea833b96d86d6ea6c23d490d51a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\oo1medbl\oo1medbl.cmdline

Filesize
273B

MD5
8e73186db349d3af1c0b2ad4009b08ed

SHA1
ab5974302cfdd50254df919de1b3a42374c249fc

SHA256
9daf155ace5821e66c001db62a5e0ca367826cd68bdafdb1613f4205ff26904a

SHA512
faa379d08360a20e7522a85afb1c59ea64537050b988a3e15babfb31f499dc289e57fee70bd4170c19fb2cde742209705bc809e51b214e2220d97f1e8f18d794

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1871.tmp.exe

Filesize
12KB

MD5
324656b6fb20de21ef51c71f2967ecde

SHA1
26f02c8f7891c18065fc950cd52dfb31cb972761

SHA256
6839dbccf2314dfe9a831a7ce4756a24cf19eb4eeb1d03a5f213be1377c66bae

SHA512
c1e9b251536e07e4e99a8c68e3085297ce1b3897e4c36c7ffc50ac0ca5dc562b1918af8a938f448c50f9f2a45e647ccc41f1f92b6ef052d341bb16124b4324d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc41C14AAE3354C27A61AB14DEDA9ADC.TMP

Filesize
1KB

MD5
003d2fa005616136b4394afb6a4cb5e5

SHA1
3e0ed87b9c76e4d42eb3c51358310763f826ac89

SHA256
aab98433ce45f4c56f8e913f003ea743992f2ee9af0f279d3f935601c1fd2c2c

SHA512
b71cfd1c1c368be3d7d7998979e2999666fc44e363600d031aae3e4bcea8047f8cebd4daf97cb45416589460693299fc50c8ec75ed03628dbf4c1df1f17cc111

Download Submit
memory/2564-23-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2868-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/2868-7-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-24-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing