Overview

overview

10

Static

static

1

document3044011243.js

windows7-x64

10

document3044011243.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2023 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document3044011243.js

  • Size

    976KB

  • MD5

    c7a0d6962c3a798b4d6603a41e9a8647

  • SHA1

    7ab2a4088f1a66b33a7b02f40d255427e319afbc

  • SHA256

    32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99

  • SHA512

    5f59c33b9c765dc3cc874693b4598fd23a11d3d39501cf452810e71416d5164914bbfd63b95e9d556ecb317783d383b373518d367f2702ee16461c30717225b6

  • SSDEEP

    12288:fwERJLB3YMdX3uMYmlRdex/TSJaSGVobPb2NCYxY8:NV9nuM+AJaSaobPKB

Score
10/10
strelastealer

Malware Config

Extracted

Family

strela

C2

91.215.85.209

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

    stealerstrela
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\document3044011243.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\document3044011243.js" "C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat" && "C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\system32\findstr.exe
        FinDSTr /V S8MG8U ""C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat""
        3⤵
          PID:1280
        • C:\Windows\system32\certutil.exe
          ceRtutiL -f -deCOdEHEX 6GU5S0 U7RWGI.dll
          3⤵
            PID:4108
          • C:\Windows\system32\rundll32.exe
            ruNdll32 U7RWGI.dll,f
            3⤵
            • Loads dropped DLL
            PID:4476

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\6GU5S0
        Filesize

        975KB

        MD5

        7e55b8e413793afc59ad0b63d9d07139

        SHA1

        767bbfc09ce3bbfb00a5973314b2ed62160adb4d

        SHA256

        bd95dfd3851b44fe2e94ee2b8692e97befb0ebd0898a1736caf1f9ae953bce64

        SHA512

        78e1be96020f75281bd3f9ff066dee84c66eac8daba7dd3626cac9992ee9e44aa9cd13a2e93344c702d01ff38e4b2e8dd7bdcfed7a28dca1abb25e46bcb54682

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat
        Filesize

        976KB

        MD5

        c7a0d6962c3a798b4d6603a41e9a8647

        SHA1

        7ab2a4088f1a66b33a7b02f40d255427e319afbc

        SHA256

        32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99

        SHA512

        5f59c33b9c765dc3cc874693b4598fd23a11d3d39501cf452810e71416d5164914bbfd63b95e9d556ecb317783d383b373518d367f2702ee16461c30717225b6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat
        Filesize

        976KB

        MD5

        c7a0d6962c3a798b4d6603a41e9a8647

        SHA1

        7ab2a4088f1a66b33a7b02f40d255427e319afbc

        SHA256

        32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99

        SHA512

        5f59c33b9c765dc3cc874693b4598fd23a11d3d39501cf452810e71416d5164914bbfd63b95e9d556ecb317783d383b373518d367f2702ee16461c30717225b6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\U7RWGI.dll
        Filesize

        325KB

        MD5

        fb336ab43aa1d1ab7c60595c49a04daf

        SHA1

        a565d84e86e3d4ce8dd809ab6f740550bf46757b

        SHA256

        34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

        SHA512

        763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\U7RWGI.dll
        Filesize

        325KB

        MD5

        fb336ab43aa1d1ab7c60595c49a04daf

        SHA1

        a565d84e86e3d4ce8dd809ab6f740550bf46757b

        SHA256

        34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

        SHA512

        763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

        Download Submit

      • memory/4476-148-0x000002980F430000-0x000002980F451000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4476-149-0x000000006D7C0000-0x000000006D819000-memory.dmp

        Filesize

        356KB

        Download

      • memory/4476-150-0x000002980F430000-0x000002980F451000-memory.dmp

        Filesize

        132KB

        Download