Overview

overview

3

Static

static

1

Vasar Late...se.ps1

windows10-1703-x64

3

Vasar Late...is.ps1

windows10-1703-x64

3

Vasar Late...on.ps1

windows10-1703-x64

3

Vasar Late...er.ps1

windows10-1703-x64

3

Vasar Late...ls.ps1

windows10-1703-x64

3

Vasar Late...el.ps1

windows10-1703-x64

1

Vasar Late...on.ps1

windows10-1703-x64

1

Vasar Late...sh.ps1

windows10-1703-x64

1

Vasar Late...us.ps1

windows10-1703-x64

1

Vasar Late...sk.ps1

windows10-1703-x64

1

Vasar Late...na.ps1

windows10-1703-x64

1

Vasar Late...orm.js

windows10-1703-x64

1

Vasar Late...orm.js

windows10-1703-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/04/2023, 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vasar Latest/src/Warro/Jarvis.ps1

  • Size

    13KB

  • MD5

    402e050894b045e7cf7c861cb2e9e450

  • SHA1

    cb5fa278d60b19566e2f81f041bed34428ef4c66

  • SHA256

    b297491414c82eb1231d67e1da0271c80f722a06dea78d45dafb0d108e38cab4

  • SHA512

    110fa50bacef75ceb6d673b376a1afe4ac636e43c1543786e5fc3d86aabbb617e6c70e22be83f8270623026d5c8f746187bcb0cfec08c8ffda8d68929ec2bf31

  • SSDEEP

    192:vJ3ZPKR1G5dS19XJrc3frPPJrtrgX/3WjPmRjSFE6v3aLqysHM/D:v5dI1R5rCfDJJs/68Oc

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Vasar Latest\src\Warro\Jarvis.ps1"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4080
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4080 -s 2032
      2⤵
      • Program crash
      PID:960
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.0.2021347469\1025041843" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8376c3cf-3bfb-453b-8daf-a4d4c08b7d6b} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 1748 20b6e319e58 gpu
        3⤵
          PID:1420
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.1.722146404\787718609" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb876dcb-d6ba-4fc9-be94-878402889bd4} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 2104 20b6d20fd58 socket
          3⤵
            PID:2988
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.2.1054407916\524343163" -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3092 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ffb9f42-0e3d-4fee-8143-c16b763ccd46} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3108 20b70ded258 tab
            3⤵
              PID:5064
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.3.1691115447\423796143" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 2648 -prefsLen 26641 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {896f7500-bfc2-4354-a79f-36a190a5b837} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3452 20b6e70c858 tab
              3⤵
                PID:924
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.4.1504405307\1287811596" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 26641 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb6500bf-4b7f-4406-81bf-5eac54e3445f} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3712 20b61b5ee58 tab
                3⤵
                  PID:1412
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.6.1263556019\1418914641" -childID 5 -isForBrowser -prefsHandle 4608 -prefMapHandle 3852 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a66c7ec7-49c4-47db-9a82-813c68e37be3} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 4624 20b732ecb58 tab
                  3⤵
                    PID:2440
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.7.523424164\316413397" -childID 6 -isForBrowser -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65c0f507-41b7-4bb5-b949-35d3b369f030} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 4852 20b732eb958 tab
                    3⤵
                      PID:4160
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.5.2119093811\1719152243" -childID 4 -isForBrowser -prefsHandle 4588 -prefMapHandle 4584 -prefsLen 26700 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4521b527-c8aa-43a3-8964-f2dc9179a082} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 4596 20b71f20858 tab
                      3⤵
                        PID:2752
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.8.553103710\1117430775" -childID 7 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 27063 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51424de1-2139-4b83-92f8-ae1224b7452e} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 2896 20b6d560058 tab
                        3⤵
                          PID:168
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.9.975036560\227517892" -childID 8 -isForBrowser -prefsHandle 4540 -prefMapHandle 2732 -prefsLen 27695 -prefMapSize 232675 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1571953-cd4e-4038-93cc-70955f0423c2} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 4632 20b73ae0258 tab
                          3⤵
                            PID:4788

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        141KB

                        MD5

                        c0e1888d996608b811bf0e2beefcee91

                        SHA1

                        102501a4c08b3177606e3f201e2bc70b747306bc

                        SHA256

                        d3fb3dbe84081da838086e1d81e9ba631f92ff90074c1e6ee3728a52a88619a0

                        SHA512

                        4ec71ffbed0dd8bc46795e6994dd36f50c3efe26f83331d859ecb22a53b381220fd4e8405d82ddc08ee0294dfdfee64bd8e072ac527db81aa08c8a450640a9c3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvkq4eai.4cw.ps1
                        Filesize

                        1B

                        MD5

                        c4ca4238a0b923820dcc509a6f75849b

                        SHA1

                        356a192b7913b04c54574d18c28d46e6395428ab

                        SHA256

                        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                        SHA512

                        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        f843fc3b858888d342076c7199266348

                        SHA1

                        97dea7b7d8486f03cc085ef488fda80fe53515a0

                        SHA256

                        19b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4

                        SHA512

                        9b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        c405a696e9e0af6c6e79ce3143a2511a

                        SHA1

                        090e6a997abf3e0f87f7b3b4dc44cb33fac9e61a

                        SHA256

                        7e4c63798b2baf94e69d594cdb99e362948ad4c1fea4a52712835266b762f64f

                        SHA512

                        df48b0007af2cffeea594e6de32023886f416357402449ab2468f40226ad2f3d242c355eee7a74cea0f80cec98385e7f37f2724f369d73870d1733e3e4466e0c

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        c884934bc365953d351453d4d82ccaec

                        SHA1

                        ca205b04d8c80df0fe778baf404d248d739e7795

                        SHA256

                        ae7411a3a17a40edaacb2685e2daf35fcea8f0003dfe95143d19f6e9ebf9c933

                        SHA512

                        91431a843eae5f625e37c8775f9b24729c7168b966681b1665de5e1e32c4b7204302af9ed19ef25dd137296e33430e1e1ec26edf035f28a32a1ca6b3c68a7596

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        13f4ea7224417985aabae4a2f59fc2ba

                        SHA1

                        2d20752d98ce84d37a69d349d2c008e302748b59

                        SHA256

                        929688d666a67a627252819b523a1a80c92a092a94b155728b8ae603ec370c4f

                        SHA512

                        0cf9e68368fff17491537a97f62cd1dc0ac9d1d7330cb2ad3f3e252ad973097fd53e416c70e9c0abb7a5cf97ac92e58f364fa96c47c95c071df71aca94dd8501

                        Download Submit

                      • memory/4080-151-0x00000195F9990000-0x00000195F99A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4080-155-0x00000195F9990000-0x00000195F99A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4080-156-0x00000195F9990000-0x00000195F99A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4080-154-0x00000195F9990000-0x00000195F99A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4080-153-0x00000195F9990000-0x00000195F99A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4080-152-0x00000195F9990000-0x00000195F99A0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/4080-125-0x00000195FA330000-0x00000195FA352000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4080-128-0x00000195FA4E0000-0x00000195FA556000-memory.dmp

                        Filesize

                        472KB

                        Download