Malware Analysis Report

2025-04-14 07:59

Sample ID 231026-nrkdgach79
Target becomix.zip
SHA256 6a60f0539acd483d86cfa20ec38c44fef2e9a2ba0a29dee32f736797990e9926
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a60f0539acd483d86cfa20ec38c44fef2e9a2ba0a29dee32f736797990e9926

Threat Level: Known bad

The file becomix.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 11:37

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-26 11:37

Reported

2023-10-26 11:43

Platform

win7-20231023-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js" "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat"

C:\Windows\system32\findstr.exe

findstr /V filthydam ""C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode developback committeelunchroom.dll

C:\Windows\system32\regsvr32.exe

regsvr32 committeelunchroom.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\farmtickle.bat

MD5 23937572ef129eea43b202d55ae55889
SHA1 b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA256 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512 dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1

C:\Users\Admin\AppData\Local\Temp\farmtickle.bat

MD5 23937572ef129eea43b202d55ae55889
SHA1 b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA256 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512 dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1

C:\Users\Admin\AppData\Local\Temp\developback

MD5 6ee4d167b37fd33367f52f69940fac3e
SHA1 53399ce699eab939e374ffae539910a9c1727d0f
SHA256 57ef19edd0b8456a464e6e9428fa4d966145f15b626f230be5dd083c79c8efe0
SHA512 6557e323c054bf8022e170aa8ad0e9c1b374a4cd32085321767e790a97203bc5b568f0df759c140e1d74aa16db9ab76d997007c94614973e5e1a33c03abe69b6

C:\Users\Admin\AppData\Local\Temp\committeelunchroom.dll

MD5 e25ee77124ff26a5167d28fd3c6493f7
SHA1 1c40976c6950009eb4d36dd15799e973409e9639
SHA256 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA512 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98

\Users\Admin\AppData\Local\Temp\committeelunchroom.dll

MD5 e25ee77124ff26a5167d28fd3c6493f7
SHA1 1c40976c6950009eb4d36dd15799e973409e9639
SHA256 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA512 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98

memory/1088-4956-0x000000006D7C0000-0x000000006DA92000-memory.dmp

memory/1088-4955-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/1088-4957-0x00000000001B0000-0x00000000001D1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-26 11:37

Reported

2023-10-26 11:43

Platform

win10v2004-20231025-en

Max time kernel

142s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 4892 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4224 wrote to memory of 4892 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4892 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4892 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4892 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4892 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4892 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4892 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_210231068.js" "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat" && "C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat"

C:\Windows\system32\findstr.exe

findstr /V filthydam ""C:\Users\Admin\AppData\Local\Temp\\farmtickle.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode developback committeelunchroom.dll

C:\Windows\system32\regsvr32.exe

regsvr32 committeelunchroom.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\farmtickle.bat

MD5 23937572ef129eea43b202d55ae55889
SHA1 b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA256 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512 dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1

C:\Users\Admin\AppData\Local\Temp\farmtickle.bat

MD5 23937572ef129eea43b202d55ae55889
SHA1 b9e0d1d51731669022536a43d78cdc3c9c8ab524
SHA256 7842c673ba3e2000971d43f01b5000f71096822696913ead5f863c00b54480ae
SHA512 dc6854379bceb9bdeff73a0bea32e899799deb22d380e243dbf464fbd30cdb2282d6fef729efb28dd8ffb846fa5190d9e716320d890d3a632f875913bf824aa1

C:\Users\Admin\AppData\Local\Temp\developback

MD5 6ee4d167b37fd33367f52f69940fac3e
SHA1 53399ce699eab939e374ffae539910a9c1727d0f
SHA256 57ef19edd0b8456a464e6e9428fa4d966145f15b626f230be5dd083c79c8efe0
SHA512 6557e323c054bf8022e170aa8ad0e9c1b374a4cd32085321767e790a97203bc5b568f0df759c140e1d74aa16db9ab76d997007c94614973e5e1a33c03abe69b6

C:\Users\Admin\AppData\Local\Temp\committeelunchroom.dll

MD5 e25ee77124ff26a5167d28fd3c6493f7
SHA1 1c40976c6950009eb4d36dd15799e973409e9639
SHA256 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA512 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98

C:\Users\Admin\AppData\Local\Temp\committeelunchroom.dll

MD5 e25ee77124ff26a5167d28fd3c6493f7
SHA1 1c40976c6950009eb4d36dd15799e973409e9639
SHA256 85c253acd652e6ceabcb0dc0fb1341f3251b41707cbc71e517c7a342d9780d43
SHA512 6c15f22b36e66d1e92069053a62f826bf87aca0233bcdd1ff90730c3f8e65222b5be3eb8b558fb4bf91bb2e985e1aea0a1ce2da0cd087bff54363768f7bc8e98

memory/2700-4955-0x00000000008B0000-0x00000000008D1000-memory.dmp

memory/2700-4956-0x000000006D7C0000-0x000000006DA92000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 11:37

Reported

2023-10-26 11:43

Platform

win7-20231025-en

Max time kernel

122s

Max time network

125s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\becomix.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\becomix.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-26 11:37

Reported

2023-10-26 11:43

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

150s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\becomix.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\becomix.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A