Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2023, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
ave603jsjsjsjsjsjsjsjsjsj.js
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
ave603jsjsjsjsjsjsjsjsjsj.js
Resource
win10v2004-20230703-en
General
-
Target
ave603jsjsjsjsjsjsjsjsjsj.js
-
Size
46KB
-
MD5
734c08060ad526d0c40be2cdef4c84d4
-
SHA1
4db13fddae48543582f8975884770d5ec4b56482
-
SHA256
48a8c57895c2cfdf13a402e669a9964f56128521404e47b4727672f8ca91a90d
-
SHA512
fe00bc4d731bd2e0493a255cc0de5a1ff05aac8091ba2134c02f47e8f1ff723afbb25113d21646980952fb4991c818e29034770913d59e118ad892b2d13d443e
-
SSDEEP
768:2edhq6YG8y1GT/BibL8NmKspYMWjAtRi3i/WfCS8IFvHkgAJBFyt:jHJR1G9ibLomd6DMtRYi/jWfkgAJfyt
Malware Config
Extracted
https://virvatulishop.com/labda.zip
https://virvatulishop.com/files/
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 3892 client32.exe -
Loads dropped DLL 5 IoCs
pid Process 3892 client32.exe 3892 client32.exe 3892 client32.exe 3892 client32.exe 3892 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3664 powershell.exe 3664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3664 powershell.exe Token: SeSecurityPrivilege 3892 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3892 client32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2600 wrote to memory of 3664 2600 wscript.exe 85 PID 2600 wrote to memory of 3664 2600 wscript.exe 85 PID 3664 wrote to memory of 3892 3664 powershell.exe 89 PID 3664 wrote to memory of 3892 3664 powershell.exe 89 PID 3664 wrote to memory of 3892 3664 powershell.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\ci6dzrr.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3892
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5d83dc9e78a9b12b1cda85e65346f50d1
SHA19435de2c91c3bad6ec6ee038d55aeb8c20abd48a
SHA256a590116ad5c79bb6201ac6067101b388ae853dc8d40debd3d2cd9912f96cb94b
SHA512c9d1192b65552e72c33c1c18f7e0e3f01a7ffa855bb56f0039a380753c002b521d203be4e9b0467ca008921e2ef52573df2ed5fd59d782639c52aad65af22a3d
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
262B
MD5b9956282a0fed076ed083892e498ac69
SHA1d14a665438385203283030a189ff6c5e7c4bf518
SHA256fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc
SHA5127daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
3.5MB
MD59c9302e75c25c2ba996efd89a1047205
SHA19e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1
-
Filesize
3.5MB
MD59c9302e75c25c2ba996efd89a1047205
SHA19e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1
-
Filesize
113KB
MD545fe5531717cd1b9532cbb6a5daaeb3a
SHA1cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA5125ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb
-
Filesize
113KB
MD545fe5531717cd1b9532cbb6a5daaeb3a
SHA1cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA5125ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb
-
Filesize
113KB
MD545fe5531717cd1b9532cbb6a5daaeb3a
SHA1cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA5125ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb
-
Filesize
605B
MD5a252f22f61f960c54fa32ae0de7dd17c
SHA100fe1097e70f1f6307e6bc68f40d49abb01dd2d5
SHA256a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618
SHA5127998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f