ec91954a19d06385bd4f5c9dec376f6a404accf89091f133c5f5064cde2635d5

Resubmissions

01/02/2023, 23:44

230201-3q4s2sdd64 8

01/02/2023, 23:23

230201-3dk56sdc45 8

01/02/2023, 22:30

230201-2eybfseg3x 10

Analysis

max time kernel
140s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2023, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mmercado-ve73580jov.vbs
Size

171KB
MD5

f3bf7594bf80e589cc9f79a1b606c21c
SHA1

12b58b7a2a6b92a3795d990c42ba32458042a20f
SHA256

801bf25da88afd12245112510da0bbc2f3f40dd8431b5330b6ebd325c8d110f3
SHA512

60b253506b66fcfe4cf52aca6469694a580cc70b1dab3863d326026b1108daca69bf7fa65fe9d6335c4a9593ee1473588e43b365ba21f160fe0a392452b904f0
SSDEEP

3072:RckLC3Zum3JcLwyADu7wztcX19WbJ9LCNq8I+zzb/M8njsrw7Ayr8oHNghP:RcAC3Zf3uLPANCNh/b5j3HqhP

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
45	3196	WScript.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	4952	WerFault.exe	85

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1260	msiexec.exe
Token: SeSecurityPrivilege	3740	msiexec.exe
Token: SeCreateTokenPrivilege	1260	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1260	msiexec.exe
Token: SeLockMemoryPrivilege	1260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1260	msiexec.exe
Token: SeMachineAccountPrivilege	1260	msiexec.exe
Token: SeTcbPrivilege	1260	msiexec.exe
Token: SeSecurityPrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeLoadDriverPrivilege	1260	msiexec.exe
Token: SeSystemProfilePrivilege	1260	msiexec.exe
Token: SeSystemtimePrivilege	1260	msiexec.exe
Token: SeProfSingleProcessPrivilege	1260	msiexec.exe
Token: SeIncBasePriorityPrivilege	1260	msiexec.exe
Token: SeCreatePagefilePrivilege	1260	msiexec.exe
Token: SeCreatePermanentPrivilege	1260	msiexec.exe
Token: SeBackupPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeShutdownPrivilege	1260	msiexec.exe
Token: SeDebugPrivilege	1260	msiexec.exe
Token: SeAuditPrivilege	1260	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1260	msiexec.exe
Token: SeChangeNotifyPrivilege	1260	msiexec.exe
Token: SeRemoteShutdownPrivilege	1260	msiexec.exe
Token: SeUndockPrivilege	1260	msiexec.exe
Token: SeSyncAgentPrivilege	1260	msiexec.exe
Token: SeEnableDelegationPrivilege	1260	msiexec.exe
Token: SeManageVolumePrivilege	1260	msiexec.exe
Token: SeImpersonatePrivilege	1260	msiexec.exe
Token: SeCreateGlobalPrivilege	1260	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 1260	3196	WScript.exe	101
PID 3196 wrote to memory of 1260	3196	WScript.exe	101

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\System32\msiexec.exe
  msiexec /i C:\programData\1GSW3WFQ72X.bin /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4952 -ip 4952
1⤵
PID:3672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4952 -s 1748
1⤵
- Program crash
PID:2492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.vbs"
1⤵
PID:4336

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.vbs"
1⤵
PID:4432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.vbs"
1⤵
PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programData\1GSW3WFQ72X.bin

Filesize
1KB

MD5
20b3d400e73176c0b308f130bafd0158

SHA1
4cb36f52f1d602a21f06c3414147687e1fd910ff

SHA256
96c411bf0fccd24c6dc3064a1be1c8349e494e6669c9309a0d7ca9f2dd6f377c

SHA512
d13476b4cd3128a85666acdffa9c5a5b044c0edfdcef102647661a4ea621ce33416ac40fec2c74578b7bc59ce3d666f4ea7d96b71f393185eeab7ab9c0de0b61

Download Submit