b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119

General

Target

b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe
Size

12KB
MD5

61761a6fa4f356b695d52f997e1c6eb1
SHA1

a746decf7f36d9c74c76599fc3cf7b37277bf97d
SHA256

b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119
SHA512

67b96bc5e4612f8e9c127bf64afe06b3d3e2d3eeb34425fc9136713490be7d9d5ad2f2a9e87e1189d4566bc3e36266b42b3738abbcb110d0c0a752c7c55f2ef6
SSDEEP

384:nL7li/2zJq2DcEQvdhcJKLTp/NK9xaj5:LJM/Q9cj5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	tmp11FC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	tmp11FC.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1256	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	28
PID 1340 wrote to memory of 1256	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	28
PID 1340 wrote to memory of 1256	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	28
PID 1340 wrote to memory of 1256	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	28
PID 1256 wrote to memory of 2152	1256	vbc.exe	30
PID 1256 wrote to memory of 2152	1256	vbc.exe	30
PID 1256 wrote to memory of 2152	1256	vbc.exe	30
PID 1256 wrote to memory of 2152	1256	vbc.exe	30
PID 1340 wrote to memory of 2756	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	31
PID 1340 wrote to memory of 2756	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	31
PID 1340 wrote to memory of 2756	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	31
PID 1340 wrote to memory of 2756	1340	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	31

C:\Users\Admin\AppData\Local\Temp\b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe
"C:\Users\Admin\AppData\Local\Temp\b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nvyl1ksd\nvyl1ksd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1314.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc439B81BDB0C44B9DA4181EDF1E8BFC0.TMP"
    3⤵
    PID:2152
- C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
931d63bfa648786e564d5f6069808543

SHA1
f05ef281cf407c8c378e2ee449103c7427581c0b

SHA256
f37f4f32b97989428bd29d8eb7db7f915a6127acf3b0855c2a685067d2edc927

SHA512
8d777ea0df1be72190835baf3bcba744a2f71e8c7ab390c0ae62767c5e0b2a5f80d30662943f0680b72f3e527173431c9435d5b5ecd77208bcf7c360c75bd404

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1314.tmp

Filesize
1KB

MD5
56d07800e1ba5deab25ba541f8aa18e3

SHA1
f1551c8f1d874f0b3b27b54dc6ee787cdd8f5331

SHA256
c28ebdfb4c39ab4e390c27ff5127b445f151394bf3ef0089ee6c0d87d25ff3f8

SHA512
d939832ed24e4585ec3042a3c2068a584476cb88ea0ac2e628913170bf5320c39ac1c9e9ae5b1653a33ef4469c36248eeadf180fdf9ceccab90d8df16b9bfd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvyl1ksd\nvyl1ksd.0.vb

Filesize
2KB

MD5
45589f826c36a43eddaa7a0ef3a3cc1f

SHA1
7a10bc2891017a0cdcf346d9347843dede2b4293

SHA256
62e5011e12329aa98b884557ede74810243c6e44f078c23f99bff7510ed9b2e5

SHA512
65a540453a1c86cd0808c4326cfbbc0d2993c51a90bd7f695c9e936c13102afc49d292e6095f695ad75c41202557012cb159a8ac3a934376b5310c5d6edb71e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvyl1ksd\nvyl1ksd.cmdline

Filesize
273B

MD5
6c6f03d49133421e3b4459a3416b1532

SHA1
78abfa1af58fac40cbc98d88565937fa0ff9d196

SHA256
1c172bbaf922999c8f021068860e05c29d072374c2633189bec95253660c9638

SHA512
205a341903584a6da9e3cec27a19ab81553a4e5ff96a5eee935da15d0daf4f67cdaea69d4c06ffcb4edb73d69bdbc607c0bad04c51be6f1063f2390d7e83f1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe

Filesize
12KB

MD5
bb3f26745fff19c787c1264c89f58196

SHA1
cae81b67faa3b31d3c6303eb67b02f64a8377c71

SHA256
5f87705d4d05cac73385f26fa04b8e89807fbddc9043dbc47344c5a23309fe95

SHA512
21f728a4a27148d6a344d95ba438df38bce42b4ae1cbfd6ab5c5e64ef20158532b4e17b32dea269358a9979ebc5ad2412912e4a3ada88f7743424537f6c9c75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc439B81BDB0C44B9DA4181EDF1E8BFC0.TMP

Filesize
1KB

MD5
85799f7f9dd9424148366bc9f006927f

SHA1
2a91c9a94c962725e7be788edadca0300260c33e

SHA256
62202b5742e78846f69b8b0f0a3810a1cdb19e0e827096bb23362aef31316369

SHA512
199bb41170b3e657c2270b6ebc6b3e2a3c4ccf15ab16c7894a460c5b29d256d6808ccdcc08c76300a87ba3f16c2331b725696565eb593443fe90e21aeb919fd5

Download Submit
memory/1340-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/1340-1-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1340-8-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-24-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-23-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing