Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js
Resource
win7-20230831-en
General
-
Target
5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js
-
Size
4.9MB
-
MD5
64ac20e66888256f82b39f5da285dbdb
-
SHA1
30f70383bce411d3c786609ff3743fd46ffd9183
-
SHA256
5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605
-
SHA512
bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a
-
SSDEEP
24576:F4gLbd4/jdgj6XF83IVmQqbNMpFokXb8hDr2wxvJzX5BGdzJhTfSrDyQgPQMXQLc:B4hv1c5ipfYBrnzmPbSqEhcvbUbU1
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 1604 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5004 wrote to memory of 1168 5004 wscript.exe 86 PID 5004 wrote to memory of 1168 5004 wscript.exe 86 PID 1168 wrote to memory of 2596 1168 cmd.exe 96 PID 1168 wrote to memory of 2596 1168 cmd.exe 96 PID 1168 wrote to memory of 1868 1168 cmd.exe 97 PID 1168 wrote to memory of 1868 1168 cmd.exe 97 PID 1168 wrote to memory of 1604 1168 cmd.exe 98 PID 1168 wrote to memory of 1604 1168 cmd.exe 98
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\5c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605_JC.js" "C:\Users\Admin\AppData\Local\Temp\\twounequal.bat" && "C:\Users\Admin\AppData\Local\Temp\\twounequal.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\findstr.exefindstr /V stripedmiss ""C:\Users\Admin\AppData\Local\Temp\\twounequal.bat""3⤵PID:2596
-
-
C:\Windows\system32\certutil.execertutil -f -decode tanmelt berrystay.dll3⤵PID:1868
-
-
C:\Windows\system32\regsvr32.exeregsvr32 berrystay.dll3⤵
- Loads dropped DLL
PID:1604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD596ae03eb73981e451551d0c31ae4803c
SHA16c5b6f72c62258447c511872425391a82f5697c5
SHA256b1cbd8f32f55f2fe15050d01952b9389dd9170834d7b5cc8d3d095be486b5a9f
SHA512b97e192bf48de3b0d7c678533c5ffa1f855546c59d2475ce384b068db47a85737f2bfb4d15280504e6a87cdf8f2780a02bdeef507658b98b9d4d0f045db767f7
-
Filesize
3.6MB
MD596ae03eb73981e451551d0c31ae4803c
SHA16c5b6f72c62258447c511872425391a82f5697c5
SHA256b1cbd8f32f55f2fe15050d01952b9389dd9170834d7b5cc8d3d095be486b5a9f
SHA512b97e192bf48de3b0d7c678533c5ffa1f855546c59d2475ce384b068db47a85737f2bfb4d15280504e6a87cdf8f2780a02bdeef507658b98b9d4d0f045db767f7
-
Filesize
4.8MB
MD5deb7e822e5488b548790341780d9d9ce
SHA141936997a78c800cee2b77869dc6e96e179fadc2
SHA256ae7fb5cf6139d26becb7b663139636513d69c8a539062a8e6c2ac254f5f14eff
SHA512613378883e16a514a8ff1d86a2bdfdc61435853a44a46fd671d9faf96bea45d9295d660e2a5697ea83863e636adc7fc67c06ca06d75a5e3e63a75e92355713d0
-
Filesize
4.9MB
MD564ac20e66888256f82b39f5da285dbdb
SHA130f70383bce411d3c786609ff3743fd46ffd9183
SHA2565c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605
SHA512bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a
-
Filesize
4.9MB
MD564ac20e66888256f82b39f5da285dbdb
SHA130f70383bce411d3c786609ff3743fd46ffd9183
SHA2565c3eb5b07a659a40a9ae64ff894a99ba28e37396025e79ae5ac69da610b00605
SHA512bed46026e831ac1f1edcf51be4b3e3f6643121a791a809543642e2864f7ca55b9dfc34c13ff1f0380204ad7af9b7ccdc0cdc514cc71bc972df218030598f281a