Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
26/10/2023, 11:37
Static task
static1
Behavioral task
behavioral1
Sample
becomix.zip
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
becomix.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
FACTURA_210231068.js
Resource
win7-20231023-en
General
-
Target
FACTURA_210231068.js
-
Size
3.8MB
-
MD5
23937572ef129eea43b202d55ae55889
-
SHA1
b9e0d1d51731669022536a43d78cdc3c9c8ab524
-
SHA256
7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
-
SHA512
dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1
-
SSDEEP
24576:Pojl7Rypzd5obrKfYIqRQ9UqW+b6ViCPyI5+Pb5FUlqoudhTMk+NM8FU1ZXxDbUM:xCCwiUyI5gDTxUbUF
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1088 regsvr32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1088 regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1828 wrote to memory of 2884 1828 wscript.exe 28 PID 1828 wrote to memory of 2884 1828 wscript.exe 28 PID 1828 wrote to memory of 2884 1828 wscript.exe 28 PID 2884 wrote to memory of 1672 2884 cmd.exe 30 PID 2884 wrote to memory of 1672 2884 cmd.exe 30 PID 2884 wrote to memory of 1672 2884 cmd.exe 30 PID 2884 wrote to memory of 2560 2884 cmd.exe 31 PID 2884 wrote to memory of 2560 2884 cmd.exe 31 PID 2884 wrote to memory of 2560 2884 cmd.exe 31 PID 2884 wrote to memory of 1088 2884 cmd.exe 32 PID 2884 wrote to memory of 1088 2884 cmd.exe 32 PID 2884 wrote to memory of 1088 2884 cmd.exe 32 PID 2884 wrote to memory of 1088 2884 cmd.exe 32 PID 2884 wrote to memory of 1088 2884 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js" "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\findstr.exefindstr /V filthydam ""C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat""3⤵PID:1672
-
-
C:\Windows\system32\certutil.execertutil -f -decode developback committeelunchroom.dll3⤵PID:2560
-
-
C:\Windows\system32\regsvr32.exeregsvr32 committeelunchroom.dll3⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1088
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5e25ee77124ff26a5167d28fd3c6493f7
SHA11c40976c6950009eb4d36dd15799e973409e9639
SHA25685c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA5126c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98
-
Filesize
3.7MB
MD56ee4d167b37fd33367f52f69940fac3e
SHA153399ce699eab939e374ffae539910a9c1727d0f
SHA25657ef19edd0b8456a464e6e9428fa4d966145f15b626f230be5dd083c79c8efe0
SHA5126557e323c054bf8022e170aa8ad0e9c1b374a4cd32085321767e790a97203bc5b568f0df759c140e1d74aa16db9ab76d997007c94614973e5e1a33c03abe69b6
-
Filesize
3.8MB
MD523937572ef129eea43b202d55ae55889
SHA1b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA2567842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1
-
Filesize
3.8MB
MD523937572ef129eea43b202d55ae55889
SHA1b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA2567842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1
-
Filesize
2.8MB
MD5e25ee77124ff26a5167d28fd3c6493f7
SHA11c40976c6950009eb4d36dd15799e973409e9639
SHA25685c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA5126c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98