15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c

General

Target

15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe
Size

12KB
MD5

9c4320597167422f0bd6e4fc5d858458
SHA1

c99fcc48319d6ccb50a48b94fd6ccd404750561c
SHA256

15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c
SHA512

f7867fe6d87880dc9c35604bf1e007bb3afa655554fd1ce2bf47d0b55467cb11d562d4173b22f0b80cd2a2f67066cdc6336df245dc41bf8c37763835c410acbb
SSDEEP

384:iL7li/2zOq2DcEQvdQcJKLTp/NK9xawq:8mMCQ9cwq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	tmpCED.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	tmpCED.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2264	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	28
PID 1860 wrote to memory of 2264	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	28
PID 1860 wrote to memory of 2264	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	28
PID 1860 wrote to memory of 2264	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	28
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 2264 wrote to memory of 2720	2264	vbc.exe	30
PID 1860 wrote to memory of 2876	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	31
PID 1860 wrote to memory of 2876	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	31
PID 1860 wrote to memory of 2876	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	31
PID 1860 wrote to memory of 2876	1860	15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe	31

C:\Users\Admin\AppData\Local\Temp\15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe
"C:\Users\Admin\AppData\Local\Temp\15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fzkjtwwo\fzkjtwwo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14A6C9542FCF4128B645A53DDEC33BD3.TMP"
    3⤵
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\tmpCED.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15590c6856173482a74f3e794c264e7628af749645598feb633f5b1a7e26df0c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7cda4f1e1c87a4a9186a8319b51dec21

SHA1
8f9a0b2aced055feb0b11a0e59c6de6b7bfb1dca

SHA256
1465ae6fbaa739c9259b15d0e24f9db044be37e5376bb9884d557ee81cbad406

SHA512
051be94feaddfd8837b3b35379db8b4c081ddd0e99d7ec83e2160c90eef3ca0b012c5ad791e70847c1c827ff39cdde02b252da0c84983b073cd7a9494fc8b294

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA1.tmp

Filesize
1KB

MD5
638e9abfc4600b26d994161206ac01d1

SHA1
579d078b0710a86f085110148dece89f8c29ebb6

SHA256
7011dc4061867e7416bfeb2ef6d20631634fe234da36e0385fea7777611b21c7

SHA512
06cf2f66ba569d6ede89629aad8c7a7701d2e6e2bffd9487c61e5109f133c0ea6a0da455b275fa10b2fd6f23284cd770b39d30db52c1d4fd585b592bf41b0ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzkjtwwo\fzkjtwwo.0.vb

Filesize
2KB

MD5
ddfab4870285bbf170148183c8d52957

SHA1
0be6047ab77a128b960a295f2324840796858ee7

SHA256
bcfb88edd8ac87019bdf557c2eeddd338aefdd23cbcb067e13845c8d1d1c5a5b

SHA512
39b31140b52b537f0d3074757c925511688b001f2ea7893ae8dcf2fd65647cb725fbea81493fc967362f9d547d83eb5e4fcdd33ee4bc7769d9f5d0234806b8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzkjtwwo\fzkjtwwo.cmdline

Filesize
272B

MD5
3d277076e46d1d54d1e57e0f82f92741

SHA1
9f9e3326bdc4fae93ac9c8e146bc518e76461344

SHA256
b0697d251bfc1d3764e1b046bc119b1d3a48076a09298ff4b9e9790ed452fc32

SHA512
8accc2094f33483a0888f8b8a6f1bb490ca983e30664454d006ecb6b4caa98fe4468cde2161855030f4973f95fc1371e550b75a6a2db6ffd9fa5f1937758abbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCED.tmp.exe

Filesize
12KB

MD5
78e1d1a724ffb1b0e2b2cba83e6e1319

SHA1
55bad136eebc5db609462776caddd43803c9cfc9

SHA256
2497625c0612e4b7ea496235df7f2bb52deb03dfed9df5963b6ee0f0adb8e709

SHA512
5ac15ce804db8bda216c0d6c88de7cff6b156fd3dc792efe55a682ee99bf44dcd166b09ec69501d5c22ddb38d5bb5446d81b11e91b258f31987c439a4ba2e1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc14A6C9542FCF4128B645A53DDEC33BD3.TMP

Filesize
1KB

MD5
2286b9b800788daeccda4a8e867132cc

SHA1
325fd7c400bd6c664bf014f555fd1f81bc103dd1

SHA256
7f34d681d1fb611203de0a3211a358f8ab65d83b0ddaf24ad42cb29a02312cef

SHA512
b3dffa6f8e9feefe0bc28e776cf5f13501f032675fab4c930c4080b93c8caf358269e5d1e022005499e542e9d73bf8d7c7d99d8aade5df663b029bbec57670cf

Download Submit
memory/1860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1860-7-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1860-24-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-23-0x0000000001010000-0x000000000101A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing