Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2023, 11:37
Static task
static1
Behavioral task
behavioral1
Sample
becomix.zip
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
becomix.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
FACTURA_210231068.js
Resource
win7-20231023-en
General
-
Target
FACTURA_210231068.js
-
Size
3.8MB
-
MD5
23937572ef129eea43b202d55ae55889
-
SHA1
b9e0d1d51731669022536a43d78cdc3c9c8ab524
-
SHA256
7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
-
SHA512
dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1
-
SSDEEP
24576:Pojl7Rypzd5obrKfYIqRQ9UqW+b6ViCPyI5+Pb5FUlqoudhTMk+NM8FU1ZXxDbUM:xCCwiUyI5gDTxUbUF
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 2700 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4224 wrote to memory of 4892 4224 wscript.exe 83 PID 4224 wrote to memory of 4892 4224 wscript.exe 83 PID 4892 wrote to memory of 4932 4892 cmd.exe 87 PID 4892 wrote to memory of 4932 4892 cmd.exe 87 PID 4892 wrote to memory of 2304 4892 cmd.exe 88 PID 4892 wrote to memory of 2304 4892 cmd.exe 88 PID 4892 wrote to memory of 2700 4892 cmd.exe 89 PID 4892 wrote to memory of 2700 4892 cmd.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js" "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\findstr.exefindstr /V filthydam ""C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat""3⤵PID:4932
-
-
C:\Windows\system32\certutil.execertutil -f -decode developback committeelunchroom.dll3⤵PID:2304
-
-
C:\Windows\system32\regsvr32.exeregsvr32 committeelunchroom.dll3⤵
- Loads dropped DLL
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5e25ee77124ff26a5167d28fd3c6493f7
SHA11c40976c6950009eb4d36dd15799e973409e9639
SHA25685c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA5126c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98
-
Filesize
2.8MB
MD5e25ee77124ff26a5167d28fd3c6493f7
SHA11c40976c6950009eb4d36dd15799e973409e9639
SHA25685c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA5126c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98
-
Filesize
3.7MB
MD56ee4d167b37fd33367f52f69940fac3e
SHA153399ce699eab939e374ffae539910a9c1727d0f
SHA25657ef19edd0b8456a464e6e9428fa4d966145f15b626f230be5dd083c79c8efe0
SHA5126557e323c054bf8022e170aa8ad0e9c1b374a4cd32085321767e790a97203bc5b568f0df759c140e1d74aa16db9ab76d997007c94614973e5e1a33c03abe69b6
-
Filesize
3.8MB
MD523937572ef129eea43b202d55ae55889
SHA1b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA2567842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1
-
Filesize
3.8MB
MD523937572ef129eea43b202d55ae55889
SHA1b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA2567842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1