Overview

overview

10

Static

static

1

5c3eb5b07a..._JC.js

windows7-x64

10

5c3eb5b07a..._JC.js

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js

  • Size

    4.9MB

  • MD5

    64ac20e66888256f82b39f5da285dbdb

  • SHA1

    30f70383bce411d3c786609ff3743fd46ffd9183

  • SHA256

    5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605

  • SHA512

    bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a

  • SSDEEP

    24576:F4gLbd4/jdgj6XF83IVmQqbNMpFokXb8hDr2wxvJzX5BGdzJhTfSrDyQgPQMXQLc:B4hv1c5ipfYBrnzmPbSqEhcvbUbU1

Score
10/10
strelastealer

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

    stealerstrela
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js" "C:\Users\Admin\AppData\Local\Temp\\twounequal.bat" && "C:\Users\Admin\AppData\Local\Temp\\twounequal.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\system32\findstr.exe
        findstr /V stripedmiss ""C:\Users\Admin\AppData\Local\Temp\\twounequal.bat""
        3⤵
          PID:1672
        • C:\Windows\system32\certutil.exe
          certutil -f -decode tanmelt berrystay.dll
          3⤵
            PID:2188
          • C:\Windows\system32\regsvr32.exe
            regsvr32 berrystay.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\berrystay.dll
        Filesize

        3.6MB

        MD5

        96ae03eb73981e451551d0c31ae4803c

        SHA1

        6c5b6f72c62258447c511872425391a82f5697c5

        SHA256

        b1cbd8f32f55f2fe15050d01952b9389dd9170834d7b5cc8d3d095be486b5a9f

        SHA512

        b97e192bf48de3b0d7c678533c5ffa1f855546c59d2475ce384b068db47a85737f2bfb4d15280504e6a87cdf8f2780a02bdeef507658b98b9d4d0f045db767f7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tanmelt
        Filesize

        4.8MB

        MD5

        deb7e822e5488b548790341780d9d9ce

        SHA1

        41936997a78c800cee2b77869dc6e96e179fadc2

        SHA256

        ae7fb5cf6139d26becb7b663139636513d69c8a539062a8e6c2ac254f5f14eff

        SHA512

        613378883e16a514a8ff1d86a2bdfdc61435853a44a46fd671d9faf96bea45d9295d660e2a5697ea83863e636adc7fc67c06ca06d75a5e3e63a75e92355713d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\twounequal.bat
        Filesize

        4.9MB

        MD5

        64ac20e66888256f82b39f5da285dbdb

        SHA1

        30f70383bce411d3c786609ff3743fd46ffd9183

        SHA256

        5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605

        SHA512

        bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\twounequal.bat
        Filesize

        4.9MB

        MD5

        64ac20e66888256f82b39f5da285dbdb

        SHA1

        30f70383bce411d3c786609ff3743fd46ffd9183

        SHA256

        5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605

        SHA512

        bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a

        Download Submit

      • \Users\Admin\AppData\Local\Temp\berrystay.dll
        Filesize

        3.6MB

        MD5

        96ae03eb73981e451551d0c31ae4803c

        SHA1

        6c5b6f72c62258447c511872425391a82f5697c5

        SHA256

        b1cbd8f32f55f2fe15050d01952b9389dd9170834d7b5cc8d3d095be486b5a9f

        SHA512

        b97e192bf48de3b0d7c678533c5ffa1f855546c59d2475ce384b068db47a85737f2bfb4d15280504e6a87cdf8f2780a02bdeef507658b98b9d4d0f045db767f7

        Download Submit

      • memory/2608-5676-0x000000006D7C0000-0x000000006DB65000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/2608-5675-0x0000000000120000-0x0000000000141000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2608-5677-0x0000000000120000-0x0000000000141000-memory.dmp

        Filesize

        132KB

        Download