Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2023 18:13

General

  • Target

    87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js

  • Size

    4.0MB

  • MD5

    7d7c79af0ea8ddd5ba251d0f9a34667e

  • SHA1

    09a1563b1cc9b092cb0027d06d633d8273a28ed6

  • SHA256

    87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

  • SHA512

    2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

  • SSDEEP

    24576:7kYjISU4NCYkYuEhMml0/WoLScl7ADF+ToUwueEYV+WeEzJooRBADu/E1bpfFUN6:7ktRp4xutEmUeUbUJ

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js" "C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat" && "C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\system32\findstr.exe
        findstr /V stupidtwig ""C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat""
        3⤵
          PID:2760
        • C:\Windows\system32\certutil.exe
          certutil -f -decode drumcannon orangesterrific.dll
          3⤵
            PID:2788
          • C:\Windows\system32\regsvr32.exe
            regsvr32 orangesterrific.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2396

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\drumcannon

        Filesize

        3.9MB

        MD5

        1c862514b99906b31423fda52012ffca

        SHA1

        9e23e205905340f09c2a326bc77e1ba90d4b4726

        SHA256

        1208725ada1a861469e119838ed62406a53c53c5604a1888fbfe440a9ee3af0b

        SHA512

        3fb0d49f4f4f61886d8ad8b0c7ccb6e2eaa9471d3c54c4f9bacb5c1dfe4e6b6ac8506295a95621e51adbbf699caaa40a63ad5133fd600b8353e4328cf0935a42

      • C:\Users\Admin\AppData\Local\Temp\ignorepumped.bat

        Filesize

        4.0MB

        MD5

        7d7c79af0ea8ddd5ba251d0f9a34667e

        SHA1

        09a1563b1cc9b092cb0027d06d633d8273a28ed6

        SHA256

        87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

        SHA512

        2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

      • C:\Users\Admin\AppData\Local\Temp\ignorepumped.bat

        Filesize

        4.0MB

        MD5

        7d7c79af0ea8ddd5ba251d0f9a34667e

        SHA1

        09a1563b1cc9b092cb0027d06d633d8273a28ed6

        SHA256

        87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

        SHA512

        2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

      • C:\Users\Admin\AppData\Local\Temp\orangesterrific.dll

        Filesize

        2.9MB

        MD5

        ae1aa4fc8f4ca32ecfefc600206828ea

        SHA1

        5dfe6e3921a0a2d1c21971e15ad06b6af35570d2

        SHA256

        5247b5fa5f5539aa7eb0838a5589ec13f9e434263de47973fdad26fc28a3698e

        SHA512

        de3439ee485d62c25d74e5ef4b077b27fb58c952c1c898ebe99c465f34de7c3560ff28d554449ed6a50bdc6064e5bb17b6297049c919d565fab73eb01a67e2db

      • \Users\Admin\AppData\Local\Temp\orangesterrific.dll

        Filesize

        2.9MB

        MD5

        ae1aa4fc8f4ca32ecfefc600206828ea

        SHA1

        5dfe6e3921a0a2d1c21971e15ad06b6af35570d2

        SHA256

        5247b5fa5f5539aa7eb0838a5589ec13f9e434263de47973fdad26fc28a3698e

        SHA512

        de3439ee485d62c25d74e5ef4b077b27fb58c952c1c898ebe99c465f34de7c3560ff28d554449ed6a50bdc6064e5bb17b6297049c919d565fab73eb01a67e2db

      • memory/2396-4804-0x000000006D7C0000-0x000000006DAB8000-memory.dmp

        Filesize

        3.0MB

      • memory/2396-4803-0x0000000000120000-0x0000000000141000-memory.dmp

        Filesize

        132KB

      • memory/2396-4805-0x0000000000120000-0x0000000000141000-memory.dmp

        Filesize

        132KB