Resubmissions
05-12-2022 21:13
221205-z22ahsgd73 805-12-2022 21:10
221205-z1gvgsgc28 105-12-2022 21:03
221205-zv9y3sff85 8Analysis
-
max time kernel
103s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
rhinderman-dp57832dof.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
rhinderman-dp57832dof.vbs
Resource
win10v2004-20220901-en
General
-
Target
rhinderman-dp57832dof.vbs
-
Size
185KB
-
MD5
1f3c3bd722f1977663709b2739e8cea3
-
SHA1
61079b6de9b823ddc396ab2c3e4c5e71baac894d
-
SHA256
4f0f80980912db3e2581b35a2f10dbf6878f64edad582dc313a53c67d2d25ee4
-
SHA512
27fea4e59b6b6d6e3378fdfd88ffa67e87c3529c1acdd2311e131e0beb94cc71aeacf44481e8bb0ff339888e750f9e1193bd85c250483ad26d439f98bd8eb6fa
-
SSDEEP
3072:kplHxF6DsKhYq9crPOV0I19GU7YZbcCyK+PmCtRblz0zvfVGxpkjfgzkWVhfy+xU:kplHx04y9uPilOZbc17RNmvahxyUDBsr
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 31 2404 WScript.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4392 msiexec.exe Token: SeIncreaseQuotaPrivilege 4392 msiexec.exe Token: SeSecurityPrivilege 1328 msiexec.exe Token: SeCreateTokenPrivilege 4392 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4392 msiexec.exe Token: SeLockMemoryPrivilege 4392 msiexec.exe Token: SeIncreaseQuotaPrivilege 4392 msiexec.exe Token: SeMachineAccountPrivilege 4392 msiexec.exe Token: SeTcbPrivilege 4392 msiexec.exe Token: SeSecurityPrivilege 4392 msiexec.exe Token: SeTakeOwnershipPrivilege 4392 msiexec.exe Token: SeLoadDriverPrivilege 4392 msiexec.exe Token: SeSystemProfilePrivilege 4392 msiexec.exe Token: SeSystemtimePrivilege 4392 msiexec.exe Token: SeProfSingleProcessPrivilege 4392 msiexec.exe Token: SeIncBasePriorityPrivilege 4392 msiexec.exe Token: SeCreatePagefilePrivilege 4392 msiexec.exe Token: SeCreatePermanentPrivilege 4392 msiexec.exe Token: SeBackupPrivilege 4392 msiexec.exe Token: SeRestorePrivilege 4392 msiexec.exe Token: SeShutdownPrivilege 4392 msiexec.exe Token: SeDebugPrivilege 4392 msiexec.exe Token: SeAuditPrivilege 4392 msiexec.exe Token: SeSystemEnvironmentPrivilege 4392 msiexec.exe Token: SeChangeNotifyPrivilege 4392 msiexec.exe Token: SeRemoteShutdownPrivilege 4392 msiexec.exe Token: SeUndockPrivilege 4392 msiexec.exe Token: SeSyncAgentPrivilege 4392 msiexec.exe Token: SeEnableDelegationPrivilege 4392 msiexec.exe Token: SeManageVolumePrivilege 4392 msiexec.exe Token: SeImpersonatePrivilege 4392 msiexec.exe Token: SeCreateGlobalPrivilege 4392 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 2404 wrote to memory of 4392 2404 WScript.exe msiexec.exe PID 2404 wrote to memory of 4392 2404 WScript.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rhinderman-dp57832dof.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\System32\msiexec.exemsiexec /i C:\programData\TTZUCKU2L.bin /qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58dfb38e362634a03cf8674eecb644c52
SHA1ed2eb4e5cbca8690ceb9585b0f4b766b363e8989
SHA256281bc7900f2e70de68932243fc74d2b481262043df86bf409dfb2b375cb6e10c
SHA51298cdce04ccc236782f9e3233bd6bcfe46b742d8d3f7b3e7b49b5f251d0c89b20bf11d81ae6cf9b120ee5f70d5e8ac8bd7d22a1b3822dae7db2fd37b3208dc4c8