Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2023, 11:45
Static task
static1
Behavioral task
behavioral1
Sample
kroschke.zip
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
kroschke.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
FACTURA_83122657.js
Resource
win7-20231020-en
General
-
Target
FACTURA_83122657.js
-
Size
4.7MB
-
MD5
4ba46eb8264924a7c2b426f585d1c2c3
-
SHA1
8fbc96590228889f0b4436b24b0936f00dd7c3f3
-
SHA256
9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
-
SHA512
3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986
-
SSDEEP
24576:1s+gD7A/F4ioyAU7zs1e52OLrqerEBUVXvXbCZTelgQ9JQy3iKUy2ig90hcNjYsI:1K+GXOagbfLC1Tytg5Q+gOy+VZUbUA
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4120 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 384 wrote to memory of 2068 384 wscript.exe 85 PID 384 wrote to memory of 2068 384 wscript.exe 85 PID 2068 wrote to memory of 2720 2068 cmd.exe 94 PID 2068 wrote to memory of 2720 2068 cmd.exe 94 PID 2068 wrote to memory of 3920 2068 cmd.exe 95 PID 2068 wrote to memory of 3920 2068 cmd.exe 95 PID 2068 wrote to memory of 4120 2068 cmd.exe 96 PID 2068 wrote to memory of 4120 2068 cmd.exe 96
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\findstr.exefindstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""3⤵PID:2720
-
-
C:\Windows\system32\certutil.execertutil -f -decode absorbingworkable parsimoniousdidactic.dll3⤵PID:3920
-
-
C:\Windows\system32\regsvr32.exeregsvr32 parsimoniousdidactic.dll3⤵
- Loads dropped DLL
PID:4120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD50ef6ff6531a33e068f6167c80d8a332a
SHA147eed73820d55ff30571ede08c12adf5900f87f4
SHA2565e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4
SHA512f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b
-
Filesize
4.7MB
MD54ba46eb8264924a7c2b426f585d1c2c3
SHA18fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA2569ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA5123eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986
-
Filesize
4.7MB
MD54ba46eb8264924a7c2b426f585d1c2c3
SHA18fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA2569ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA5123eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986
-
Filesize
3.5MB
MD5344de2ad2b2e208ff24808486f32a99c
SHA19802a9af76cb2816a995213da7fdd7d416b29e47
SHA2562f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a
-
Filesize
3.5MB
MD5344de2ad2b2e208ff24808486f32a99c
SHA19802a9af76cb2816a995213da7fdd7d416b29e47
SHA2562f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a