Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
11/10/2023, 22:37
General
-
Target
5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js
-
Size
4.9MB
-
MD5
64ac20e66888256f82b39f5da285dbdb
-
SHA1
30f70383bce411d3c786609ff3743fd46ffd9183
-
SHA256
5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605
-
SHA512
bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a
-
SSDEEP
24576:F4gLbd4/jdgj6XF83IVmQqbNMpFokXb8hDr2wxvJzX5BGdzJhTfSrDyQgPQMXQLc:B4hv1c5ipfYBrnzmPbSqEhcvbUbU1
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Strela
An info stealer targeting mail credentials first seen in late 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js" "C:\Users\Admin\AppData\Local\Temp\\twounequal.bat" && "C:\Users\Admin\AppData\Local\Temp\\twounequal.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /V stripedmiss ""C:\Users\Admin\AppData\Local\Temp\\twounequal.bat""3⤵
-
-
C:\Windows\system32\certutil.execertutil -f -decode tanmelt berrystay.dll3⤵
-
-
C:\Windows\system32\regsvr32.exeregsvr32 berrystay.dll3⤵
- Loads dropped DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD596ae03eb73981e451551d0c31ae4803c
SHA16c5b6f72c62258447c511872425391a82f5697c5
SHA256b1cbd8f32f55f2fe15050d01952b9389dd9170834d7b5cc8d3d095be486b5a9f
SHA512b97e192bf48de3b0d7c678533c5ffa1f855546c59d2475ce384b068db47a85737f2bfb4d15280504e6a87cdf8f2780a02bdeef507658b98b9d4d0f045db767f7
-
Filesize
3.6MB
MD596ae03eb73981e451551d0c31ae4803c
SHA16c5b6f72c62258447c511872425391a82f5697c5
SHA256b1cbd8f32f55f2fe15050d01952b9389dd9170834d7b5cc8d3d095be486b5a9f
SHA512b97e192bf48de3b0d7c678533c5ffa1f855546c59d2475ce384b068db47a85737f2bfb4d15280504e6a87cdf8f2780a02bdeef507658b98b9d4d0f045db767f7
-
Filesize
4.8MB
MD5deb7e822e5488b548790341780d9d9ce
SHA141936997a78c800cee2b77869dc6e96e179fadc2
SHA256ae7fb5cf6139d26becb7b663139636513d69c8a539062a8e6c2ac254f5f14eff
SHA512613378883e16a514a8ff1d86a2bdfdc61435853a44a46fd671d9faf96bea45d9295d660e2a5697ea83863e636adc7fc67c06ca06d75a5e3e63a75e92355713d0
-
Filesize
4.9MB
MD564ac20e66888256f82b39f5da285dbdb
SHA130f70383bce411d3c786609ff3743fd46ffd9183
SHA2565c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605
SHA512bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a
-
Filesize
4.9MB
MD564ac20e66888256f82b39f5da285dbdb
SHA130f70383bce411d3c786609ff3743fd46ffd9183
SHA2565c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605
SHA512bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a
-
Filesize
132KB
-
Filesize
3.6MB
-
Filesize
132KB