Resubmissions
05-12-2022 21:13
221205-z22ahsgd73 805-12-2022 21:10
221205-z1gvgsgc28 105-12-2022 21:03
221205-zv9y3sff85 8Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
rhinderman-dp57832dof.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
rhinderman-dp57832dof.vbs
Resource
win10v2004-20220901-en
General
-
Target
rhinderman-dp57832dof.vbs
-
Size
185KB
-
MD5
1f3c3bd722f1977663709b2739e8cea3
-
SHA1
61079b6de9b823ddc396ab2c3e4c5e71baac894d
-
SHA256
4f0f80980912db3e2581b35a2f10dbf6878f64edad582dc313a53c67d2d25ee4
-
SHA512
27fea4e59b6b6d6e3378fdfd88ffa67e87c3529c1acdd2311e131e0beb94cc71aeacf44481e8bb0ff339888e750f9e1193bd85c250483ad26d439f98bd8eb6fa
-
SSDEEP
3072:kplHxF6DsKhYq9crPOV0I19GU7YZbcCyK+PmCtRblz0zvfVGxpkjfgzkWVhfy+xU:kplHx04y9uPilOZbc17RNmvahxyUDBsr
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 3 1388 WScript.exe 5 1388 WScript.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 952 msiexec.exe Token: SeIncreaseQuotaPrivilege 952 msiexec.exe Token: SeRestorePrivilege 980 msiexec.exe Token: SeTakeOwnershipPrivilege 980 msiexec.exe Token: SeSecurityPrivilege 980 msiexec.exe Token: SeCreateTokenPrivilege 952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 952 msiexec.exe Token: SeLockMemoryPrivilege 952 msiexec.exe Token: SeIncreaseQuotaPrivilege 952 msiexec.exe Token: SeMachineAccountPrivilege 952 msiexec.exe Token: SeTcbPrivilege 952 msiexec.exe Token: SeSecurityPrivilege 952 msiexec.exe Token: SeTakeOwnershipPrivilege 952 msiexec.exe Token: SeLoadDriverPrivilege 952 msiexec.exe Token: SeSystemProfilePrivilege 952 msiexec.exe Token: SeSystemtimePrivilege 952 msiexec.exe Token: SeProfSingleProcessPrivilege 952 msiexec.exe Token: SeIncBasePriorityPrivilege 952 msiexec.exe Token: SeCreatePagefilePrivilege 952 msiexec.exe Token: SeCreatePermanentPrivilege 952 msiexec.exe Token: SeBackupPrivilege 952 msiexec.exe Token: SeRestorePrivilege 952 msiexec.exe Token: SeShutdownPrivilege 952 msiexec.exe Token: SeDebugPrivilege 952 msiexec.exe Token: SeAuditPrivilege 952 msiexec.exe Token: SeSystemEnvironmentPrivilege 952 msiexec.exe Token: SeChangeNotifyPrivilege 952 msiexec.exe Token: SeRemoteShutdownPrivilege 952 msiexec.exe Token: SeUndockPrivilege 952 msiexec.exe Token: SeSyncAgentPrivilege 952 msiexec.exe Token: SeEnableDelegationPrivilege 952 msiexec.exe Token: SeManageVolumePrivilege 952 msiexec.exe Token: SeImpersonatePrivilege 952 msiexec.exe Token: SeCreateGlobalPrivilege 952 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WScript.exedescription pid process target process PID 1388 wrote to memory of 952 1388 WScript.exe msiexec.exe PID 1388 wrote to memory of 952 1388 WScript.exe msiexec.exe PID 1388 wrote to memory of 952 1388 WScript.exe msiexec.exe PID 1388 wrote to memory of 952 1388 WScript.exe msiexec.exe PID 1388 wrote to memory of 952 1388 WScript.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rhinderman-dp57832dof.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\msiexec.exemsiexec /i C:\programData\TTZUCKU2L.bin /qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:952
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58dfb38e362634a03cf8674eecb644c52
SHA1ed2eb4e5cbca8690ceb9585b0f4b766b363e8989
SHA256281bc7900f2e70de68932243fc74d2b481262043df86bf409dfb2b375cb6e10c
SHA51298cdce04ccc236782f9e3233bd6bcfe46b742d8d3f7b3e7b49b5f251d0c89b20bf11d81ae6cf9b120ee5f70d5e8ac8bd7d22a1b3822dae7db2fd37b3208dc4c8