ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122

General

Target

ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe
Size

12KB
MD5

821fab1712d18c54b64dc561604f1e6b
SHA1

76cc334083cb56cac6b5d9f10341d78a2db36750
SHA256

ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122
SHA512

ceef6f1c3ff5e90339a06fbf6982399036dc781e0aeab9e2170e74ba7138cdc58763b2f472281bd982cdecd22c180afc3460339c96f9065534a33cee0aef2bfb
SSDEEP

384:6L7li/2z5q2DcEQvdhcJKLTp/NK9xag2:k5M/Q9cg2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	tmp2859.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	tmp2859.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2008	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	28
PID 2932 wrote to memory of 2008	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	28
PID 2932 wrote to memory of 2008	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	28
PID 2932 wrote to memory of 2008	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	28
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2008 wrote to memory of 3024	2008	vbc.exe	30
PID 2932 wrote to memory of 2732	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	31
PID 2932 wrote to memory of 2732	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	31
PID 2932 wrote to memory of 2732	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	31
PID 2932 wrote to memory of 2732	2932	ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe	31

C:\Users\Admin\AppData\Local\Temp\ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe
"C:\Users\Admin\AppData\Local\Temp\ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1nupmrwz\1nupmrwz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEACF80D4FC324DEE8D99348C66AA487.TMP"
    3⤵
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ef4dd9f2231248d6ad3bb0e1ab282d76a427180ee6b0aa3251fe3e5ab11f0122.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1nupmrwz\1nupmrwz.0.vb

Filesize
2KB

MD5
feab9c65be48d72d964c8b55ae1178f7

SHA1
1ab705d6fbc0022d13ee195e87ffa0baa9262d3e

SHA256
de36ec4e8acf252d4819a89c59b074d608081dbfa80506c964706520025622c0

SHA512
64a1a1fccd1273b9aa946d385211310b0adcecf0cc0b607d183324e9cb784e43c366045b5cb223a5fc3599869bb63457c1b13f01e4bb11c19b420150bfe71893

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nupmrwz\1nupmrwz.cmdline

Filesize
273B

MD5
8c6d01b2b256bf966103a8ee0c8c942f

SHA1
76262f36e2d7c835926b4f6b90fb054da746287c

SHA256
6576cf99f0be72976f58a171be142fbe33288d0c1f9fa7e98f98acad11bd9961

SHA512
91c234ecc8812b79a9bba8336e7e632adb2007477ac116426796b66659eb0646df974a38453554949fd269f89346f43ba610796fee8aef0db21e7630643f802a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
76b3832fde0525cf4d96ce867b27f006

SHA1
cd57f2c68abf969c01e5b91b6af8725b5ffa70e1

SHA256
483019579c634e6621cd0bceea27d5955a32c5b8246d8889dfa1c9d29f1804d6

SHA512
297d8f152baf75b454de5f59093f50205d5d91e619ca759ea1a016e131ac99bee1418208126a4be769d04134252f850e81663cd880b804a5962b60e1493a73f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29CE.tmp

Filesize
1KB

MD5
8d679e0ba4b3198867a5362d0a6b1a9f

SHA1
14a5a32b5d9c2de69221b1c68bd0349a1f229c7a

SHA256
b92bc37f1fc2e6a3d181510ad2889a64d29d6850bd4bdd9bcba99964c8329460

SHA512
b0641149c8e137c1025afdc7da5a942c1e0e675c673d8a3b95a3bcbf4d387cbc37934b8ba3b81c7ea15c8e76a65f372bd49eb1b9cfd9979f082244844b0528f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp.exe

Filesize
12KB

MD5
8279ca277572245e506ad5be357bb912

SHA1
31175d71fa525d8b4a2ec62ae54bfcc721d84abd

SHA256
39372d6648295ffcbe53fc6ca8f325089121163e0a37ea431d179506a8c2fcbf

SHA512
3ff9ce9aa83ba140cce4529bd2ac4a1c3fb851c19be465055b52144c1bcf2290b993fee7f6b57e71ca24d775de28de039d1d31b673bcf602282b98336dfefd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEACF80D4FC324DEE8D99348C66AA487.TMP

Filesize
1KB

MD5
93a28da04eb1208a099062942ab412d0

SHA1
1a8028fa9e0a28733806ef7406459b4a71dbbcf1

SHA256
83cc2a4d2392f8bbf15cc3808b348382da4a2f4c9513e4cc4fbb7995bae22612

SHA512
fab8b348d6beb79b0f8459166798fef2d6dd2c237bb67d14fdcfaabd436dae7a3de05a81a41729659fbe0c74c2062d30a96e60da16b52dfac53ee3a4045f32f4

Download Submit
memory/2732-23-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2932-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download
memory/2932-8-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing