Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15-08-2023 16:16
Static task
static1
Behavioral task
behavioral1
Sample
f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js
Resource
win7-20230712-en
General
-
Target
f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js
-
Size
333KB
-
MD5
369fb2cf1cb2dcedd67f9340ce47b95c
-
SHA1
7074e9849057a5e4ae7debf7b9e9156ed38f654d
-
SHA256
f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba
-
SHA512
a7ef8924e368e4caf2d3200143f75754733eb2db087bffc8dea6a0b03fbe04fe5edecfa4268e169ca66b9570a218dc2d17da3c4533cdb1b849be50eeda74d55d
-
SSDEEP
6144:+k6LXBrAkN2wqug9iX3FOvcAiogR8WorQGGKdLdyNmkzSF9jiKAOtJfgwvs48WFM:+pAa2wqug9iHFOvcAiogR8WorQGGKdL0
Malware Config
Extracted
strela
91.215.85.209
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1504 rundll32.exe 1504 rundll32.exe 1504 rundll32.exe 1504 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 1652 wrote to memory of 2828 1652 wscript.exe cmd.exe PID 1652 wrote to memory of 2828 1652 wscript.exe cmd.exe PID 1652 wrote to memory of 2828 1652 wscript.exe cmd.exe PID 2828 wrote to memory of 2456 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 2456 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 2456 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 988 2828 cmd.exe certutil.exe PID 2828 wrote to memory of 988 2828 cmd.exe certutil.exe PID 2828 wrote to memory of 988 2828 cmd.exe certutil.exe PID 2828 wrote to memory of 1504 2828 cmd.exe rundll32.exe PID 2828 wrote to memory of 1504 2828 cmd.exe rundll32.exe PID 2828 wrote to memory of 1504 2828 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js" "C:\Users\Admin\AppData\Local\Temp\\bwipu.bat" && "C:\Users\Admin\AppData\Local\Temp\\bwipu.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /V eyyou ""C:\Users\Admin\AppData\Local\Temp\\bwipu.bat""3⤵
-
C:\Windows\system32\certutil.execertutil -f -decode rpqyx vogac.dll3⤵
-
C:\Windows\system32\rundll32.exerundll32 vogac.dll,hello3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bwipu.batFilesize
333KB
MD5369fb2cf1cb2dcedd67f9340ce47b95c
SHA17074e9849057a5e4ae7debf7b9e9156ed38f654d
SHA256f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba
SHA512a7ef8924e368e4caf2d3200143f75754733eb2db087bffc8dea6a0b03fbe04fe5edecfa4268e169ca66b9570a218dc2d17da3c4533cdb1b849be50eeda74d55d
-
C:\Users\Admin\AppData\Local\Temp\bwipu.batFilesize
333KB
MD5369fb2cf1cb2dcedd67f9340ce47b95c
SHA17074e9849057a5e4ae7debf7b9e9156ed38f654d
SHA256f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba
SHA512a7ef8924e368e4caf2d3200143f75754733eb2db087bffc8dea6a0b03fbe04fe5edecfa4268e169ca66b9570a218dc2d17da3c4533cdb1b849be50eeda74d55d
-
C:\Users\Admin\AppData\Local\Temp\rpqyxFilesize
329KB
MD5c67ef436f1675d2a87a76888fe132141
SHA1ef553329ffe56e859072545bb9f259882d53bb54
SHA2563ad57e95facaf9acd8356d0054e2821719b7962210cace57ed9a9146636c68b3
SHA512a21e36d67e33916a67711b9693692ae868c52bfa6402f7fd18a64a268929c3de7e8bb8ad3bc5a547f3e0624a6dff8909bf28a03beda7a145566bc4b2888cd9df
-
C:\Users\Admin\AppData\Local\Temp\vogac.dllFilesize
244KB
MD50b338721a3e9bc698cf9c7a5b1cb75de
SHA1fc0789a6c590b6c087f60058c3253affd211ec40
SHA2560a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd
SHA5126f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c
-
\Users\Admin\AppData\Local\Temp\vogac.dllFilesize
244KB
MD50b338721a3e9bc698cf9c7a5b1cb75de
SHA1fc0789a6c590b6c087f60058c3253affd211ec40
SHA2560a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd
SHA5126f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c
-
\Users\Admin\AppData\Local\Temp\vogac.dllFilesize
244KB
MD50b338721a3e9bc698cf9c7a5b1cb75de
SHA1fc0789a6c590b6c087f60058c3253affd211ec40
SHA2560a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd
SHA5126f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c
-
\Users\Admin\AppData\Local\Temp\vogac.dllFilesize
244KB
MD50b338721a3e9bc698cf9c7a5b1cb75de
SHA1fc0789a6c590b6c087f60058c3253affd211ec40
SHA2560a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd
SHA5126f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c
-
\Users\Admin\AppData\Local\Temp\vogac.dllFilesize
244KB
MD50b338721a3e9bc698cf9c7a5b1cb75de
SHA1fc0789a6c590b6c087f60058c3253affd211ec40
SHA2560a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd
SHA5126f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c
-
memory/1504-2351-0x0000000000410000-0x0000000000431000-memory.dmpFilesize
132KB
-
memory/1504-2352-0x000000006D7C0000-0x000000006D805000-memory.dmpFilesize
276KB
-
memory/1504-2353-0x0000000000410000-0x0000000000431000-memory.dmpFilesize
132KB