a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d

General

Target

a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe
Size

12KB
MD5

32ef744add96941cc35885142148a7e3
SHA1

db291a3c755305cbc672e81f7a8a8330df0c781f
SHA256

a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d
SHA512

814fea67a55f00ee0dcbb9f9e2192e4f8ff02e606604b8c5a282373614764bf7125a9079a802ca0c323f316e0e184afff9ee465edda81ac1fc94aad8aa4fdb37
SSDEEP

384:6L7li/2zbq2DcEQvdhcJKLTp/NK9xaMe:k/M/Q9cMe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	tmp2962.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	tmp2962.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1756	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	28
PID 1740 wrote to memory of 1756	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	28
PID 1740 wrote to memory of 1756	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	28
PID 1740 wrote to memory of 1756	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	28
PID 1756 wrote to memory of 3068	1756	vbc.exe	30
PID 1756 wrote to memory of 3068	1756	vbc.exe	30
PID 1756 wrote to memory of 3068	1756	vbc.exe	30
PID 1756 wrote to memory of 3068	1756	vbc.exe	30
PID 1740 wrote to memory of 2536	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	31
PID 1740 wrote to memory of 2536	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	31
PID 1740 wrote to memory of 2536	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	31
PID 1740 wrote to memory of 2536	1740	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	31

C:\Users\Admin\AppData\Local\Temp\a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe
"C:\Users\Admin\AppData\Local\Temp\a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aqtiovbh\aqtiovbh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc659FB22CDC240FF8C9E1FB252CBF182.TMP"
    3⤵
    PID:3068
- C:\Users\Admin\AppData\Local\Temp\tmp2962.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2962.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
770defad19ca66a193ee429cd24dff56

SHA1
93e468d0697e58fdbd24c30fefeb59d3f2a033a2

SHA256
f849129f133193b020037e53b2093e27973ae6d45ac3b2637130f21b0c738af7

SHA512
686b52c1cc5594f7f8cd0c28d188f872822658fb1ea38b42c122a9177a733dd856bc16dca328f9192a4e2cdbef8e513f77f2fbcd5915d0721f404aad88bb6c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A8A.tmp

Filesize
1KB

MD5
c4597db73a15a14c94d732b0a9c0204f

SHA1
48d1666ec9ece158c30d0be88d552f866b00ff85

SHA256
f17243a0b47a68544608ad5645405865778b7b0348e953516a38e30b4f224209

SHA512
b9b857fc99d455fe9a28cd779edf03223ae8ffdb6feb49eba4e6206f7c8cedc03bb1b440f1aaedee6879aab81e2333096bd7e6dec10eef291e3e8d14cfab7279

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqtiovbh\aqtiovbh.0.vb

Filesize
2KB

MD5
a6b35e91eb00515e279081c5ee0867de

SHA1
917a6d5a0e9c687205eeed20ad0e90c31805abc3

SHA256
77acabe66ca4ccd7e20dfb00b67cfdcf6ad5c4406a17942999c317234d9b7d45

SHA512
1ebe038fcdb98f501f3e71de68134ca8a7a4b308cebd3f28e9c537707a3ea6e7ec184bfe8a6785c364737e8162a00974912f07030b35e029d4fe01c1fb4be0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqtiovbh\aqtiovbh.cmdline

Filesize
273B

MD5
3e4fd3865e9aa22ecdf6391699815d2a

SHA1
d808b2fefd1437cbaaece842e6f388b7c3cebef8

SHA256
f8d2e4859bce366b1a3f652d391d864a39cf843b4cb2b03080e3b4212c8cf91d

SHA512
42842d4c431266bdd1cc3b1d553b7ea17216b7e7fbad78e7dea460f5360725c4dcfe9fae66f3818bf527f6ec37a475cfce1397ba6e240bc3854de14d7e9b42fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2962.tmp.exe

Filesize
12KB

MD5
3939bbacc1bdff0cee4f1a58bd4778c2

SHA1
3e18d306e6674b663358c6bc35564cf1c95e2e04

SHA256
b7c1adb7b9cb2f492f5aaf9e9c69a54915c737c4357a0af17be37677daf5f369

SHA512
cfd8d6fece9d9670d2f71686ca13414dc74cbe213415dda9a858846efae374403bf0d6d81726d22cacea53e39cb0eadc6322c2ad41093cd8980dab48eae46cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc659FB22CDC240FF8C9E1FB252CBF182.TMP

Filesize
1KB

MD5
c78484cfc7a78ba4ede64c58a9cc0584

SHA1
d0fa2ca450c99fe512c1afaca88b494431bfbcb7

SHA256
ed4c8bb7adba7f4792ab077821ba8d6628e3ea16ad8446e78721784d91880e31

SHA512
b305e49ecc2d8a55ac6513bce2970faa89d12e986d5c98453edb20b46eead33ef9cdafecc115424e7fdcd71283c17ce664c0d64f4e64be3b62cdb6f54a68b223

Download Submit
memory/1740-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000001370000-0x000000000137A000-memory.dmp

Filesize
40KB

Download
memory/1740-7-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-23-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-24-0x0000000001170000-0x000000000117A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing