Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    26/10/2023, 11:45

General

  • Target

    FACTURA_83122657.js

  • Size

    4.7MB

  • MD5

    4ba46eb8264924a7c2b426f585d1c2c3

  • SHA1

    8fbc96590228889f0b4436b24b0936f00dd7c3f3

  • SHA256

    9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70

  • SHA512

    3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

  • SSDEEP

    24576:1s+gD7A/F4ioyAU7zs1e52OLrqerEBUVXvXbCZTelgQ9JQy3iKUy2ig90hcNjYsI:1K+GXOagbfLC1Tytg5Q+gOy+VZUbUA

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\system32\findstr.exe
        findstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""
        3⤵
          PID:1724
        • C:\Windows\system32\certutil.exe
          certutil -f -decode absorbingworkable parsimoniousdidactic.dll
          3⤵
            PID:272
          • C:\Windows\system32\regsvr32.exe
            regsvr32 parsimoniousdidactic.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1488

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\absorbingworkable

        Filesize

        4.7MB

        MD5

        0ef6ff6531a33e068f6167c80d8a332a

        SHA1

        47eed73820d55ff30571ede08c12adf5900f87f4

        SHA256

        5e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4

        SHA512

        f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b

      • C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat

        Filesize

        4.7MB

        MD5

        4ba46eb8264924a7c2b426f585d1c2c3

        SHA1

        8fbc96590228889f0b4436b24b0936f00dd7c3f3

        SHA256

        9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70

        SHA512

        3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

      • C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat

        Filesize

        4.7MB

        MD5

        4ba46eb8264924a7c2b426f585d1c2c3

        SHA1

        8fbc96590228889f0b4436b24b0936f00dd7c3f3

        SHA256

        9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70

        SHA512

        3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

      • C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll

        Filesize

        3.5MB

        MD5

        344de2ad2b2e208ff24808486f32a99c

        SHA1

        9802a9af76cb2816a995213da7fdd7d416b29e47

        SHA256

        2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e

        SHA512

        f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a

      • \Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll

        Filesize

        3.5MB

        MD5

        344de2ad2b2e208ff24808486f32a99c

        SHA1

        9802a9af76cb2816a995213da7fdd7d416b29e47

        SHA256

        2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e

        SHA512

        f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a

      • memory/1488-9698-0x00000000001A0000-0x00000000001C1000-memory.dmp

        Filesize

        132KB

      • memory/1488-9699-0x000000006D7C0000-0x000000006DB41000-memory.dmp

        Filesize

        3.5MB

      • memory/1488-9700-0x00000000001A0000-0x00000000001C1000-memory.dmp

        Filesize

        132KB