b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69

General

Target

b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
Size

12KB
MD5

7806a8806149ee00b896686c0f679b50
SHA1

6e8f67ebb0b728c46dcbf9e758e0a3824b3d658c
SHA256

b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69
SHA512

2686af62d3a767323642e11d7c2edcc1861bbb9c30de6a6b4a42e88f1572ffc81dfb36967bd9f9fb1858452f726853ef4cc8a09422caf0b0fce3be0b433b1796
SSDEEP

384:+L7li/2zHq2DcEQvdhcJKLTp/NK9xaJ4:oLM/Q9cJ4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	tmp28C6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	tmp28C6.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2064	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	28
PID 2992 wrote to memory of 2064	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	28
PID 2992 wrote to memory of 2064	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	28
PID 2992 wrote to memory of 2064	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	28
PID 2064 wrote to memory of 2656	2064	vbc.exe	30
PID 2064 wrote to memory of 2656	2064	vbc.exe	30
PID 2064 wrote to memory of 2656	2064	vbc.exe	30
PID 2064 wrote to memory of 2656	2064	vbc.exe	30
PID 2992 wrote to memory of 2820	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	31
PID 2992 wrote to memory of 2820	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	31
PID 2992 wrote to memory of 2820	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	31
PID 2992 wrote to memory of 2820	2992	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	31

C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
"C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bpjzv0qx\bpjzv0qx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C2689D24295478997323D83C82CA3.TMP"
    3⤵
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\tmp28C6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp28C6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3df7d3d37bd7c77202c5f6ddd3f321d2

SHA1
1b4e9ed6e92fa6ede3d2289f5d629269b44082b8

SHA256
dcbd734296239d3f2a8cc6cd96856c96b3db2cc91c54565e06c8f4c18b998744

SHA512
3e505ba613bfbe698af17eb4a8662417eb4a38250efd52c9ca9b27cb218c5dc6094dd2916513c9f83c61abf03d3ab7a3d356e589b9f04ce317483954a3f17d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A0D.tmp

Filesize
1KB

MD5
6a03675dd66c45b6cf0b86a9729a9675

SHA1
dd81ca40289aee2f8e7740c33ffe667073800277

SHA256
8b89c7e3b177b53f80249f24fcf9ae482fbd0da29ab1932b9719bd08aa8fd598

SHA512
ef5cf01322659d6cc16c7a3c67dffbd9828c7483efe8b789843a95643ff7c033ce60ddb8b92faacedfa075cde30c3b631e82efd8c771e589908a7943e0bd4f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpjzv0qx\bpjzv0qx.0.vb

Filesize
2KB

MD5
a4bc40ac5296ea2c5e652acaf9ddd824

SHA1
e39bfc92c36a202a2a9a3afb41db53fa1fe31a30

SHA256
969990043eceab9387b63f8d49a43f153008b9b6bcc1d6b5d698b38c39f3e4d2

SHA512
0319b9e06b94dbb6f39dbdb5cba288e94ca4abc808968af95bb97ccd99375b33145c6e3ca54536a26c59934c92c657e2da5587ccd7a4aef53720ae302614c22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpjzv0qx\bpjzv0qx.cmdline

Filesize
273B

MD5
ed25e1fb6634ac45a8d2c1c01d762f3e

SHA1
207db9e01a39fe1511b10d40e120d12f52fcda92

SHA256
8bea3f50a6d286ea9a56d99ae61ab83016359c9511a19b31982ce4bfdfa606b2

SHA512
6c407de699baf926a96effec7a16803bdb614dae6467a80bacc082eda61b0689ce43b1ee2a3ad7b2b14f3170e58fdb44baeba11dd00faab8b4e8c7f2ba440121

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28C6.tmp.exe

Filesize
12KB

MD5
b39e8420b9d63932eaca20681a53fb3d

SHA1
433c139c19d74873fb44d54d867cca6c45990830

SHA256
e60f675f5215f0f84e7db96edbb57f991524e85dfa208321d652013d8070e698

SHA512
54f9d31f29ba68bf282e7546b8399e3c699df7318dcc1ec3e8fe6ef000769f0411aa57f8c48c2abb36674a496145c6742c384e7674aa5916cf4de2cdb881c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8C2689D24295478997323D83C82CA3.TMP

Filesize
1KB

MD5
f1e8c09d6d24a9dc8bbeef9923807674

SHA1
a618231c3ddee0cab68c393f681caa72765bd16e

SHA256
4ef8e63a1a5711e02d930357de49c4cef2f72ce0ee6839548876727869542f85

SHA512
6d6dc39a701fc2e3933c922edbc25d9942f497b2f90e22f408e964d112935bf49e98ebdd31db26512f91587560602323e38d0dc662a2cc2cd6cb6d7c25298ca2

Download Submit
memory/2820-23-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2992-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/2992-7-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-24-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing