f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8

General

Target

f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe
Size

12KB
MD5

9ef12943a6d40fa3a2b799f27869d244
SHA1

ec14d88b6cb6de5650f4064d631198204417b20f
SHA256

f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8
SHA512

2f9fae5af845a904501a687c2be24d1af60899520c0ce77b1682371d839101f221630368ffa9e3917e78fce11f07e16b9372628526e68160170146a3c6e3f590
SSDEEP

384:WL7li/2zCq2DcEQvdQcJKLTp/NK9xaSpG:QKMCQ9c4G

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	tmp12F5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	tmp12F5.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2352	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	28
PID 2176 wrote to memory of 2352	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	28
PID 2176 wrote to memory of 2352	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	28
PID 2176 wrote to memory of 2352	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	28
PID 2352 wrote to memory of 2028	2352	vbc.exe	30
PID 2352 wrote to memory of 2028	2352	vbc.exe	30
PID 2352 wrote to memory of 2028	2352	vbc.exe	30
PID 2352 wrote to memory of 2028	2352	vbc.exe	30
PID 2176 wrote to memory of 2632	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	31
PID 2176 wrote to memory of 2632	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	31
PID 2176 wrote to memory of 2632	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	31
PID 2176 wrote to memory of 2632	2176	f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe	31

C:\Users\Admin\AppData\Local\Temp\f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe
"C:\Users\Admin\AppData\Local\Temp\f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uo3bzhlr\uo3bzhlr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES143C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFA1664AA948447C838E5C4B5091EC67.TMP"
    3⤵
    PID:2028
- C:\Users\Admin\AppData\Local\Temp\tmp12F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp12F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f51acbd141533b5d36197f00d74bb58d67a22b2a9973b2da4964336022a683a8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
716b3a6cc4be83f3e9b93a29b8971174

SHA1
cb4746d9bb779cfbc51af03550ab90eb1a839855

SHA256
d062360320e286487f9419ab278adb4fdefa9bfafc4b74356d5c8a59a3d3b160

SHA512
3e88f318f48edbb6316e8639b3d0727e66e3e8630eb89d4e7f2edb22765e054b4df05568365fb4879f98fde8cb5370541ab411a4f8af58d8dbf8c299539d637f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES143C.tmp

Filesize
1KB

MD5
95c0f2665d5e913417dfd9219ed41859

SHA1
6213b16346472024057ed1e1fab50d9e061381d6

SHA256
fec09d20b83428c4e97e9f526bfff664d7140b565138144930d8963d4e82fa8d

SHA512
ca8a90794dd122e24d42d407fa0819cfbf411c19134453fe34a60e179179d1a7e29b42b7b6fe4645c0f9e5c06f474c45cbf7d1c1b5ba5d8256bd8e145eacfe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12F5.tmp.exe

Filesize
12KB

MD5
ae001b154359c9dd48c63218b66ba620

SHA1
312409d8f8c6ac5ea57f316a623cd5170b2aa2af

SHA256
a89f5fa2aca68f8b31b97ad9599670a0738b5ac9c081b46cfbe088600b28ee6f

SHA512
292e96c76275c53a43300add363981988872c5fb4586249da5802489bb14ec3b23bf5fdee29e3128cd0a5adf6792497af7cc3f86697596b0e18f855fb7e1d7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\uo3bzhlr\uo3bzhlr.0.vb

Filesize
2KB

MD5
189088dc382635c7cd1351b71a9e0bfb

SHA1
4f427a5b2231792562cbd4df45a5db6dac1f5c99

SHA256
af59014fe0e8ec7d6cdfdaa5fb8a9062fe341d01675f55abbbed0f0fcf68b4dc

SHA512
e57493f75a58cb00b2d63333cdfa67f8868c87dfc467d95104fafc57f0c1c890b59774d1922d13956e13ffeb1e150232440f1c67aae67d22cadc6a20d9bb6a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\uo3bzhlr\uo3bzhlr.cmdline

Filesize
273B

MD5
009ae6a021bfee391f3ef2b03039bedd

SHA1
22ead5b809c85e0d2ef53520e5f01cbb4b400433

SHA256
36354b0aadd207bb77d5213ad726fb1b9503acf1782d70f50ea83e6393a44022

SHA512
abf782a2ebdda905dbaca3f759de4bc325bd45218da78b3db1265d1a879876894cde56e9b8e9347185be89823e1aa33b8a1d0a57be6f9fa820b694c2fac81ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBFA1664AA948447C838E5C4B5091EC67.TMP

Filesize
1KB

MD5
e66ad336c67c9c5a6989e5221363926e

SHA1
fd07529ff6bd464df5e5dd70cddea18cb964aba1

SHA256
ec6e418b49fa9d2b7b6531622ec7419c8c99dcd1d58fdeae8e74197bb9fa33f8

SHA512
60363b05d1c17101d6bb3650e25cdb23746a3788ff612ef48b901b391dbc4197dcc2a18006023af171362783c32d9f732266f0f7a9d3f32a5dd9753cf1ddf5a9

Download Submit
memory/2176-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2176-7-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-24-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-23-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing