b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4

General

Target

b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe
Size

12KB
MD5

f6f59ce383d9f3881b305fac6fa5f364
SHA1

95fadd4e0bb1f40710ebbf8b4a7a8dbffa37667e
SHA256

b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4
SHA512

fa05cb2c54629cb036e6a5b6919bbd2c0b7069970b10ed8da5e7ea6b5cb38faaf6b8216e353e3a8569c34a13f30da4b46984bab062150dd2d1b72f57363c1f08
SSDEEP

384:JL7li/2zSq2DcEQvdhcJKLTp/NK9xapG:56M/Q9cpG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	tmp2859.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	tmp2859.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1740	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	28
PID 2056 wrote to memory of 1740	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	28
PID 2056 wrote to memory of 1740	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	28
PID 2056 wrote to memory of 1740	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	28
PID 1740 wrote to memory of 2612	1740	vbc.exe	30
PID 1740 wrote to memory of 2612	1740	vbc.exe	30
PID 1740 wrote to memory of 2612	1740	vbc.exe	30
PID 1740 wrote to memory of 2612	1740	vbc.exe	30
PID 2056 wrote to memory of 2728	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	31
PID 2056 wrote to memory of 2728	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	31
PID 2056 wrote to memory of 2728	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	31
PID 2056 wrote to memory of 2728	2056	b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe	31

C:\Users\Admin\AppData\Local\Temp\b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe
"C:\Users\Admin\AppData\Local\Temp\b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwpjishi\rwpjishi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68642C96D83A4A4C95611B7DC57980C7.TMP"
    3⤵
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b28799265fb29a129f74245ecc5d27a5b4d1da9c1e26886af9cccbe63c3228c4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6f63656b30980c181bf9785042c3df2e

SHA1
edad8c63d8619159d9f73b2aeb5417179b3583f4

SHA256
49add966096d03db707f8140e1d3aad928a7c6d5abfc84a2b1cbe48a702ca966

SHA512
cdc1cf8f05500b4431e4fd408c06e3ba50efc325652bf5df015204799e0f769511bdcd2f154923116486b501e6a60b7e0ca40d12e697abd0048e4614a1759cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp

Filesize
1KB

MD5
fac595c2f1508c538d68ee3aaf85f2a8

SHA1
3aa30e0913458fe0fcb0b2ba185741f217ed1c1f

SHA256
142b69ff9d1880ad9ec4bea52c26052f7d46454371a53cead7a62636aa2e9963

SHA512
03c1d399f0d56e59a6bf19f3abbdcbb861a2d307845e51f1738b69734795a1a5eb2c7034dab52a09f6ced77bfdb8f64b42c6c42e6f03314f4801504629b3d0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwpjishi\rwpjishi.0.vb

Filesize
2KB

MD5
6d33df2791485bccef465d7c493a0486

SHA1
872b4dd299a2b446f67bd11924e27e5f3e7cd733

SHA256
57c0b4dd5a264b9843720b79fdd1f4653fede02ad9642e52c4e3ee453ef17716

SHA512
7e725fdbc2423a909d19be1d90a5e24ca28cf3be80b137784795799583775640deddb01a7395f21d6d405a591c8d7da5dc10e8067e2eaf4d763460867846c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwpjishi\rwpjishi.cmdline

Filesize
273B

MD5
d1a2c87f92f1c4261fda3664854af9af

SHA1
ae7a28b9f9aaef0ca68136cd5ba8691409a8b644

SHA256
2e369a340c3d32b4670599723557b555949eb001a7995777dd9fc2486d10108b

SHA512
d288a7d15af6925f9c56f70a469703b1cf0ecebb6a4acdcb404c27b92247c8cccaa398c2350e1edcf0c6753ce66124399e597255bf927d8f50a5b8566820ecbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe

Filesize
12KB

MD5
3b605ec066dd8490d041a063f3d267e0

SHA1
a8bdc117b9cfdcefa7add55e40d1da42a7d7a20a

SHA256
78866fe6080bede9a74ae6ae47137dfbcfc9e9b39cd2b86d2e6517d472548ae0

SHA512
792a51eafdd277ad9bf29b4dc81a32d5fd42aa970654903ca52445c60588851f5f2db87e55aa25d6e7057b8eef42e267193ae0bf132ce903f31d148048cd2e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc68642C96D83A4A4C95611B7DC57980C7.TMP

Filesize
1KB

MD5
93a28da04eb1208a099062942ab412d0

SHA1
1a8028fa9e0a28733806ef7406459b4a71dbbcf1

SHA256
83cc2a4d2392f8bbf15cc3808b348382da4a2f4c9513e4cc4fbb7995bae22612

SHA512
fab8b348d6beb79b0f8459166798fef2d6dd2c237bb67d14fdcfaabd436dae7a3de05a81a41729659fbe0c74c2062d30a96e60da16b52dfac53ee3a4045f32f4

Download Submit
memory/2056-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2056-1-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2056-7-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-24-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-23-0x0000000001310000-0x000000000131A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing