ec91954a19d06385bd4f5c9dec376f6a404accf89091f133c5f5064cde2635d5

Resubmissions

01/02/2023, 23:44

230201-3q4s2sdd64 8

01/02/2023, 23:23

230201-3dk56sdc45 8

01/02/2023, 22:30

230201-2eybfseg3x 10

Analysis

max time kernel
176s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2023, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mmercado-ve73580jov.zip
Size

3.3MB
MD5

d3add4ef9940f485a12da9e987771f32
SHA1

37870b8d6fc40baff80e30cd28fe1e4e01f471b8
SHA256

ec91954a19d06385bd4f5c9dec376f6a404accf89091f133c5f5064cde2635d5
SHA512

bfebfcad3406574ef06205472b055df77e79391d21082c2d90d3d75721cda706a96feb5bb1b43683e5acf03cfe2227705c6672d80973788be4a86b2cb5c554e8
SSDEEP

98304:n5RIKVe2vTKoDvi281DlmZ79IUwXWrkF6z6UQjhEz+:Hc2pDvfQGcwG6z6UQFg+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
107	3988	WScript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	107	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeRestorePrivilege	2536	7zG.exe
Token: 35	2536	7zG.exe
Token: SeSecurityPrivilege	2536	7zG.exe
Token: SeSecurityPrivilege	2536	7zG.exe
Token: SeRestorePrivilege	4972	7zG.exe
Token: 35	4972	7zG.exe
Token: SeSecurityPrivilege	4972	7zG.exe
Token: SeSecurityPrivilege	4972	7zG.exe
Token: SeShutdownPrivilege	2448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	3876	msiexec.exe
Token: SeCreateTokenPrivilege	2448	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2448	msiexec.exe
Token: SeLockMemoryPrivilege	2448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2448	msiexec.exe
Token: SeMachineAccountPrivilege	2448	msiexec.exe
Token: SeTcbPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeLoadDriverPrivilege	2448	msiexec.exe
Token: SeSystemProfilePrivilege	2448	msiexec.exe
Token: SeSystemtimePrivilege	2448	msiexec.exe
Token: SeProfSingleProcessPrivilege	2448	msiexec.exe
Token: SeIncBasePriorityPrivilege	2448	msiexec.exe
Token: SeCreatePagefilePrivilege	2448	msiexec.exe
Token: SeCreatePermanentPrivilege	2448	msiexec.exe
Token: SeBackupPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeShutdownPrivilege	2448	msiexec.exe
Token: SeDebugPrivilege	2448	msiexec.exe
Token: SeAuditPrivilege	2448	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2448	msiexec.exe
Token: SeChangeNotifyPrivilege	2448	msiexec.exe
Token: SeRemoteShutdownPrivilege	2448	msiexec.exe
Token: SeUndockPrivilege	2448	msiexec.exe
Token: SeSyncAgentPrivilege	2448	msiexec.exe
Token: SeEnableDelegationPrivilege	2448	msiexec.exe
Token: SeManageVolumePrivilege	2448	msiexec.exe
Token: SeImpersonatePrivilege	2448	msiexec.exe
Token: SeCreateGlobalPrivilege	2448	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2536	7zG.exe
4972	7zG.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2448	3988	WScript.exe	102
PID 3988 wrote to memory of 2448	3988	WScript.exe	102

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.zip
1⤵
PID:2268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2704

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap15420:118:7zEvent19381
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2536

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov\" -ad -an -ai#7zMap17348:118:7zEvent24718
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_mmercado-ve73580jov.zip\mmercado-ve73580jov.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\System32\msiexec.exe
  msiexec /i C:\programData\1GSW3WFQ72X.bin /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_mmercado-ve73580jov.zip\mmercado-ve73580jov.vbs"
1⤵
PID:5064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_mmercado-ve73580jov.zip\mmercado-ve73580jov.vbs"
1⤵
PID:1432

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.vbs"
1⤵
PID:3112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mmercado-ve73580jov.vbs

Filesize
171KB

MD5
f3bf7594bf80e589cc9f79a1b606c21c

SHA1
12b58b7a2a6b92a3795d990c42ba32458042a20f

SHA256
801bf25da88afd12245112510da0bbc2f3f40dd8431b5330b6ebd325c8d110f3

SHA512
60b253506b66fcfe4cf52aca6469694a580cc70b1dab3863d326026b1108daca69bf7fa65fe9d6335c4a9593ee1473588e43b365ba21f160fe0a392452b904f0

Download Submit
C:\programData\1GSW3WFQ72X.bin

Filesize
1KB

MD5
20b3d400e73176c0b308f130bafd0158

SHA1
4cb36f52f1d602a21f06c3414147687e1fd910ff

SHA256
96c411bf0fccd24c6dc3064a1be1c8349e494e6669c9309a0d7ca9f2dd6f377c

SHA512
d13476b4cd3128a85666acdffa9c5a5b044c0edfdcef102647661a4ea621ce33416ac40fec2c74578b7bc59ce3d666f4ea7d96b71f393185eeab7ab9c0de0b61

Download Submit