a3b40d0da7698d2c0a259980c6f220031afbcf99e1d887fd8c10da8de997aabf

Analysis

max time kernel
165s
max time network
191s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 08:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RisingHairTwelve.vbs
Size

978KB
MD5

e570b4f85c1b2364ba6deb55532151d4
SHA1

daefcf744583cc8c7cca3efe2855a5eefcd607ed
SHA256

a3b40d0da7698d2c0a259980c6f220031afbcf99e1d887fd8c10da8de997aabf
SHA512

621cba41523e3c2b9e6cf0ea55341ff42033ba52ad9602f71a2a61a39e0ab5a4876a509762e7863e1aa0841f19bd9120f06355414fbfbd6009c18006efe88d63
SSDEEP

12288:S62e7B1rmjQ9C06nyudVY6tTMsbmCxWuIZZf8spSdYQw7Yq9d0wYL8evlf5X:HbuPK66CYLtW/BZ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3016	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	WScript.exe
3016	WScript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	WScript.exe
Token: SeDebugPrivilege	3016	WScript.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RisingHairTwelve.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\text_log.dbg

Filesize
2KB

MD5
5fadc46324680e6ac769f218245db36d

SHA1
d06718ce41fcfef9d1efeea74aa79c685855fcd5

SHA256
ce49e8e18de5e74f62644c46cb4db498f741b64252cb6f2ffbb751ee2480dc47

SHA512
89160025516b64eb11ae9c918d3c6e0cb602c3ee32b38d1b78f9c9865e6c11cab1f82edb484cb62a93bf8b28fbf9ba3a452c33a4083592a46efb3e915f1d5296

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
4KB

MD5
6123bacf901f4466d1f06f9f9b713a78

SHA1
9ff3ad33e52c8017abacc6cd0c75144bc1ae8e5c

SHA256
64473f22122583b8276f443a2c610287dd6004d7ad94284294d9f17dabcc2ea5

SHA512
33625be39617fcef3401073b766363be09e3c0b3ccf2070b8c96d3871afecf407a8544c595a84bf87ddcc23eb449d94d2a85286297bc564f2810e7069dc71984

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
1KB

MD5
4b91b539777acbd06e1ab83b778042f3

SHA1
8108e6b47a24df6048704ee4df58ac3d4f142ed1

SHA256
515f88b234dfe0f8b3166dd83d3ccef04be75cb7839640514eef2d8dd7c9bc95

SHA512
d88c9b3abb0389fc996a10e084eaa415641772decfd06be35a30e2aaa762147b841893bb1ad7a81c48bdaf206fb191078437b9709aae8aa6f42d4346b2fe0628

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
1KB

MD5
4b91b539777acbd06e1ab83b778042f3

SHA1
8108e6b47a24df6048704ee4df58ac3d4f142ed1

SHA256
515f88b234dfe0f8b3166dd83d3ccef04be75cb7839640514eef2d8dd7c9bc95

SHA512
d88c9b3abb0389fc996a10e084eaa415641772decfd06be35a30e2aaa762147b841893bb1ad7a81c48bdaf206fb191078437b9709aae8aa6f42d4346b2fe0628

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
1KB

MD5
4e76f130839d8e890a341687b6de6196

SHA1
823172f770832e6402504fda250dfd2b0499c7ea

SHA256
ef20a9d3f52bc62b81024e5438681b4a7f97e00aad9e01e5f1832b5bb3f5d7e8

SHA512
024882ff658de85ce1c7a3ba8c7a3a3d93359ea1efc73375b5eb364c001f00fe3368b394a2932e0504ff91410ab4a69381b9e3145edeb8ef9f9264285309c15c

Download Submit
memory/3016-1192-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1197-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-2-0x0000000003720000-0x000000000376C000-memory.dmp

Filesize
304KB

Download
memory/3016-1-0x000000001DB00000-0x000000001DBF6000-memory.dmp

Filesize
984KB

Download
memory/3016-1183-0x00000000021A0000-0x00000000021C0000-memory.dmp

Filesize
128KB

Download
memory/3016-1190-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1191-0x00000000021A0000-0x00000000021C0000-memory.dmp

Filesize
128KB

Download
memory/3016-0-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1193-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1194-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1196-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-3-0x000000001D1E0000-0x000000001D260000-memory.dmp

Filesize
512KB

Download
memory/3016-1198-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1199-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1200-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1202-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1204-0x000000001D1E0000-0x000000001D260000-memory.dmp

Filesize
512KB

Download
memory/3016-1203-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1209-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1210-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download
memory/3016-1220-0x0000000004BC0000-0x0000000004C11000-memory.dmp

Filesize
324KB

Download