Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2023, 11:04

General

  • Target

    FACTURA_1714631916.js

  • Size

    4.9MB

  • MD5

    84132ef0bb6ad44e0f34f0ffee42a5eb

  • SHA1

    c0053fa7d8afbdbcc72ad21bc481e1bbea676216

  • SHA256

    9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415

  • SHA512

    1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

  • SSDEEP

    24576:tG+C4RcUDAZBS0DjulG4mmQfyZHcBwpS4dhKyN+HELDZHd7GXPHa6oafpSs1J35M:Q+c/lyZHs4iEXvxISjUbUH

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1714631916.js" "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat" && "C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\system32\findstr.exe
        findstr /V bashfulspade ""C:\Users\Admin\AppData\Local\Temp\\tangywoebegone.bat""
        3⤵
          PID:2660
        • C:\Windows\system32\certutil.exe
          certutil -f -decode brokenprecede habitualworkable.dll
          3⤵
            PID:2084
          • C:\Windows\system32\regsvr32.exe
            regsvr32 habitualworkable.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\brokenprecede

        Filesize

        4.8MB

        MD5

        22ae5a6ad3c032823b1035182ef6b563

        SHA1

        dfe710bfe8c8ca98d2a3c8ec247285d975536c55

        SHA256

        63acc839c86de404d4abba3b4380c1e5377e057589344ac0b19032fd5340c5be

        SHA512

        30ae54422334615d38fb9a32d104cf50b658314b37b85159b855b87e3f8fdb822fe1dfa577b5b2b26f487f015694a43a953d8ac9fbf030c364512514717219cd

      • C:\Users\Admin\AppData\Local\Temp\habitualworkable.dll

        Filesize

        3.6MB

        MD5

        a33c0faac0c19fa9703d78d8bf4d38ed

        SHA1

        857acb13ffb952340ba066fbc6194db78b2c7e37

        SHA256

        ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b

        SHA512

        542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf

      • C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat

        Filesize

        4.9MB

        MD5

        84132ef0bb6ad44e0f34f0ffee42a5eb

        SHA1

        c0053fa7d8afbdbcc72ad21bc481e1bbea676216

        SHA256

        9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415

        SHA512

        1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

      • C:\Users\Admin\AppData\Local\Temp\tangywoebegone.bat

        Filesize

        4.9MB

        MD5

        84132ef0bb6ad44e0f34f0ffee42a5eb

        SHA1

        c0053fa7d8afbdbcc72ad21bc481e1bbea676216

        SHA256

        9767f0206ecff1cb54c38fdad51251bcc5151906a66fe7eb7b733bc9edf1d415

        SHA512

        1a7f8e5b7fa843e44956971de974bdf15cc4df137ca03a75d47d99e1bd8177ff6ea0cf863adc7916d8c812691221578375000db46de69c17896e4f969427b43b

      • \Users\Admin\AppData\Local\Temp\habitualworkable.dll

        Filesize

        3.6MB

        MD5

        a33c0faac0c19fa9703d78d8bf4d38ed

        SHA1

        857acb13ffb952340ba066fbc6194db78b2c7e37

        SHA256

        ac56297616518dff53fa5e01e7a1508a6db46321c5c453a034396214e7edad4b

        SHA512

        542be33bda3adc4e54f42e73fa5f455925ae4d9eac93cc3a17921bc70e599d9d86cb273bc57537502e38b8d685d8490c65a5855335a3bbe07614bc3b73098cdf

      • memory/2832-5281-0x0000000000120000-0x0000000000141000-memory.dmp

        Filesize

        132KB

      • memory/2832-5282-0x000000006D7C0000-0x000000006DB68000-memory.dmp

        Filesize

        3.7MB

      • memory/2832-5283-0x0000000000120000-0x0000000000141000-memory.dmp

        Filesize

        132KB