5a9e70e56fd4c64e9602f9da8f938334c74f9416c8200c84483a2a2bc4ab88f8

Resubmissions

05-12-2022 21:13

05-12-2022 21:10

05-12-2022 21:03

max time kernel
103s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 21:13

Target

rhinderman-dp57832dof.vbs
Size

185KB
MD5

1f3c3bd722f1977663709b2739e8cea3
SHA1

61079b6de9b823ddc396ab2c3e4c5e71baac894d
SHA256

4f0f80980912db3e2581b35a2f10dbf6878f64edad582dc313a53c67d2d25ee4
SHA512

27fea4e59b6b6d6e3378fdfd88ffa67e87c3529c1acdd2311e131e0beb94cc71aeacf44481e8bb0ff339888e750f9e1193bd85c250483ad26d439f98bd8eb6fa
SSDEEP

3072:kplHxF6DsKhYq9crPOV0I19GU7YZbcCyK+PmCtRblz0zvfVGxpkjfgzkWVhfy+xU:kplHx04y9uPilOZbc17RNmvahxyUDBsr

Score

8^/10

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

31 2404 WScript.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

flow	pid	process
31	2404	WScript.exe

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4392	msiexec.exe
Token: SeSecurityPrivilege	1328	msiexec.exe
Token: SeCreateTokenPrivilege	4392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4392	msiexec.exe
Token: SeLockMemoryPrivilege	4392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4392	msiexec.exe
Token: SeMachineAccountPrivilege	4392	msiexec.exe
Token: SeTcbPrivilege	4392	msiexec.exe
Token: SeSecurityPrivilege	4392	msiexec.exe
Token: SeTakeOwnershipPrivilege	4392	msiexec.exe
Token: SeLoadDriverPrivilege	4392	msiexec.exe
Token: SeSystemProfilePrivilege	4392	msiexec.exe
Token: SeSystemtimePrivilege	4392	msiexec.exe
Token: SeProfSingleProcessPrivilege	4392	msiexec.exe
Token: SeIncBasePriorityPrivilege	4392	msiexec.exe
Token: SeCreatePagefilePrivilege	4392	msiexec.exe
Token: SeCreatePermanentPrivilege	4392	msiexec.exe
Token: SeBackupPrivilege	4392	msiexec.exe
Token: SeRestorePrivilege	4392	msiexec.exe
Token: SeShutdownPrivilege	4392	msiexec.exe
Token: SeDebugPrivilege	4392	msiexec.exe
Token: SeAuditPrivilege	4392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4392	msiexec.exe
Token: SeChangeNotifyPrivilege	4392	msiexec.exe
Token: SeRemoteShutdownPrivilege	4392	msiexec.exe
Token: SeUndockPrivilege	4392	msiexec.exe
Token: SeSyncAgentPrivilege	4392	msiexec.exe
Token: SeEnableDelegationPrivilege	4392	msiexec.exe
Token: SeManageVolumePrivilege	4392	msiexec.exe
Token: SeImpersonatePrivilege	4392	msiexec.exe
Token: SeCreateGlobalPrivilege	4392	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2404 wrote to memory of 4392	2404	WScript.exe	msiexec.exe
PID 2404 wrote to memory of 4392	2404	WScript.exe	msiexec.exe

C:\Windows\System32\msiexec.exe
msiexec /i C:\programData\TTZUCKU2L.bin /qn
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\programData\TTZUCKU2L.bin

Filesize
1KB

MD5
8dfb38e362634a03cf8674eecb644c52

SHA1
ed2eb4e5cbca8690ceb9585b0f4b766b363e8989

SHA256
281bc7900f2e70de68932243fc74d2b481262043df86bf409dfb2b375cb6e10c

SHA512
98cdce04ccc236782f9e3233bd6bcfe46b742d8d3f7b3e7b49b5f251d0c89b20bf11d81ae6cf9b120ee5f70d5e8ac8bd7d22a1b3822dae7db2fd37b3208dc4c8

Download Submit
memory/4392-132-0x0000000000000000-mapping.dmp

Download