Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
26/10/2023, 11:45
Static task
static1
Behavioral task
behavioral1
Sample
kroschke.zip
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
kroschke.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
FACTURA_83122657.js
Resource
win7-20231020-en
General
-
Target
FACTURA_83122657.js
-
Size
4.7MB
-
MD5
4ba46eb8264924a7c2b426f585d1c2c3
-
SHA1
8fbc96590228889f0b4436b24b0936f00dd7c3f3
-
SHA256
9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
-
SHA512
3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986
-
SSDEEP
24576:1s+gD7A/F4ioyAU7zs1e52OLrqerEBUVXvXbCZTelgQ9JQy3iKUy2ig90hcNjYsI:1K+GXOagbfLC1Tytg5Q+gOy+VZUbUA
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1488 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1488 regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2476 2432 wscript.exe 28 PID 2432 wrote to memory of 2476 2432 wscript.exe 28 PID 2432 wrote to memory of 2476 2432 wscript.exe 28 PID 2476 wrote to memory of 1724 2476 cmd.exe 30 PID 2476 wrote to memory of 1724 2476 cmd.exe 30 PID 2476 wrote to memory of 1724 2476 cmd.exe 30 PID 2476 wrote to memory of 272 2476 cmd.exe 31 PID 2476 wrote to memory of 272 2476 cmd.exe 31 PID 2476 wrote to memory of 272 2476 cmd.exe 31 PID 2476 wrote to memory of 1488 2476 cmd.exe 32 PID 2476 wrote to memory of 1488 2476 cmd.exe 32 PID 2476 wrote to memory of 1488 2476 cmd.exe 32 PID 2476 wrote to memory of 1488 2476 cmd.exe 32 PID 2476 wrote to memory of 1488 2476 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\findstr.exefindstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""3⤵PID:1724
-
-
C:\Windows\system32\certutil.execertutil -f -decode absorbingworkable parsimoniousdidactic.dll3⤵PID:272
-
-
C:\Windows\system32\regsvr32.exeregsvr32 parsimoniousdidactic.dll3⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD50ef6ff6531a33e068f6167c80d8a332a
SHA147eed73820d55ff30571ede08c12adf5900f87f4
SHA2565e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4
SHA512f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b
-
Filesize
4.7MB
MD54ba46eb8264924a7c2b426f585d1c2c3
SHA18fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA2569ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA5123eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986
-
Filesize
4.7MB
MD54ba46eb8264924a7c2b426f585d1c2c3
SHA18fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA2569ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA5123eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986
-
Filesize
3.5MB
MD5344de2ad2b2e208ff24808486f32a99c
SHA19802a9af76cb2816a995213da7fdd7d416b29e47
SHA2562f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a
-
Filesize
3.5MB
MD5344de2ad2b2e208ff24808486f32a99c
SHA19802a9af76cb2816a995213da7fdd7d416b29e47
SHA2562f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a