9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d

General

Target

9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe
Size

12KB
MD5

82702ee71a59679913a42ab5bf8d2a63
SHA1

b66c54737a6269a42264b1b9325b0a1397a81392
SHA256

9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d
SHA512

04aaf38cbe1053d775deea2de7c9dfeb0a40e70a4ef2be65b342af031a0f8bd1df412751e58028506dd4106240eb8fd549271d2276ebba202020b3111d471a53
SSDEEP

384:fL7li/2zmq2DcEQvdQcJKLTp/NK9xaHi:T+MCQ9cHi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	tmp1C87.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	tmp1C87.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2412	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	28
PID 2980 wrote to memory of 2412	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	28
PID 2980 wrote to memory of 2412	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	28
PID 2980 wrote to memory of 2412	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	28
PID 2412 wrote to memory of 2100	2412	vbc.exe	30
PID 2412 wrote to memory of 2100	2412	vbc.exe	30
PID 2412 wrote to memory of 2100	2412	vbc.exe	30
PID 2412 wrote to memory of 2100	2412	vbc.exe	30
PID 2980 wrote to memory of 2736	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	31
PID 2980 wrote to memory of 2736	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	31
PID 2980 wrote to memory of 2736	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	31
PID 2980 wrote to memory of 2736	2980	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	31

C:\Users\Admin\AppData\Local\Temp\9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe
"C:\Users\Admin\AppData\Local\Temp\9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rp5dvjk5\rp5dvjk5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CD8CCC8FEB14F078656760E9D9E04B.TMP"
    3⤵
    PID:2100
- C:\Users\Admin\AppData\Local\Temp\tmp1C87.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C87.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp

Filesize
1KB

MD5
b74629273ac8b735930e62495c4b3b11

SHA1
1ecbc475f956b0fff62918093461f47a107aa777

SHA256
b518e801704f5a44117f17c3934e4594c44e79bcffea2772243b57956319c5cf

SHA512
f2c036c2a6b0158ac92d87ac70bfc9cd4d921c06dd2c0b49a333d0de13969254e6215ae5ff22662704ed5bbc574a870c673db978139376062775e6d45b022a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp5dvjk5\rp5dvjk5.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp5dvjk5\rp5dvjk5.cmdline

Filesize
273B

MD5
d2ec9a1877c32a54b50d7a6661940205

SHA1
9725975b991202622e47f15b18115af9a009cf42

SHA256
508d5a26d61a49eb77484bdd4a3cd1b1df140328f034088255f192d7acef8a5f

SHA512
027d432c5320049f99233a85880e2f289a1466af19ec304b9466ca27d45ca26d23f7677698f764680dd7ee1c818b0d2dfc970cc96455140283d1507317a0a281

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C87.tmp.exe

Filesize
12KB

MD5
cb8115ba18c1f63bf412f729b8344f84

SHA1
8323c8581733700565effe4e4bc7439a063d6402

SHA256
3d49e78b9475148e321c7cc5e85b245bf822b4ebcdaae564fc2e4071b5c3fa83

SHA512
fc6feb4f32fe3f10a814d107e46dfeabfec01e31f4154cc7c6b530f4bfb293862b5570f6c21bd4f8bd4fefe12f72a5eba75e01ed0ac7c9300fe72cc4e375e68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CD8CCC8FEB14F078656760E9D9E04B.TMP

Filesize
1KB

MD5
980f39b941a8d439652c491f80f53dfb

SHA1
7970df85835353d57dc50a99e4ff48153cbd7940

SHA256
9c1a14a1c206666bf6509251dffe54e234d819116abee3365adc748ae080a2b1

SHA512
94ce7bfc1e1e5cdcaa0fadb1ce69ad2016ccaadcbd28f6eea1aa3663d3d1b5e0fffffdf88810a6be8085d62dfe930ec59b058026afdce31826ca6703ac52a8af

Download Submit
memory/2736-23-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download
memory/2980-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download
memory/2980-7-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-24-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing