Analysis

  • max time kernel
    90s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2023, 11:04

General

  • Target

    PDF20218238767362.js

  • Size

    1.0MB

  • MD5

    0ab8b08e9c92bf1405755833d9409a95

  • SHA1

    9fbf7143a55c83845815502c413e9eecdd74677e

  • SHA256

    1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607

  • SHA512

    7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

  • SSDEEP

    24576:/Mue2z3xX0/FjN6zti4z33C+MnqHKYRtZl53M:Lq

Score
10/10

Malware Config

Extracted

Family

strela

C2

91.215.85.209

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20218238767362.js" "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat" && "C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\system32\findstr.exe
        findstr /V rmoulbhzypessjkwzujxsjanxvefrotukiloadqzppmwujgzdf ""C:\Users\Admin\AppData\Local\Temp\\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat""
        3⤵
          PID:5072
        • C:\Windows\system32\certutil.exe
          certutil -f -decode iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll
          3⤵
            PID:2876
          • C:\Windows\system32\rundll32.exe
            rundll32 xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll,x
            3⤵
            • Loads dropped DLL
            PID:4188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat

        Filesize

        1.0MB

        MD5

        0ab8b08e9c92bf1405755833d9409a95

        SHA1

        9fbf7143a55c83845815502c413e9eecdd74677e

        SHA256

        1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607

        SHA512

        7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

      • C:\Users\Admin\AppData\Local\Temp\elgpvcoofzyvljjpmnhzjzntuhqdoioxguuxqugubrmewgacih.bat

        Filesize

        1.0MB

        MD5

        0ab8b08e9c92bf1405755833d9409a95

        SHA1

        9fbf7143a55c83845815502c413e9eecdd74677e

        SHA256

        1e81b9479b419372da9ef8ce7f50a98becc218c8605f09d034a5a6514e86f607

        SHA512

        7e4d91c77087433209f8f74573e10d6a05ad951b48c5fc6ce15aba8b36252110a97b9747b9b47bbf549e372e45eb599afc1ca6425536f7617fa0a67f5145eb13

      • C:\Users\Admin\AppData\Local\Temp\iexbhpcchrxfgymholozzfrmmegxsjewaupjcikfkdoipnpzpi

        Filesize

        1023KB

        MD5

        333e4540d003b671b0fab4bf108dfcc4

        SHA1

        bc3025b87eebd678e622955f6306fd5ce768e94a

        SHA256

        177fa2cfda97c4fd97f41b742e0ae0d5742c91d6c31fbce9b276e4b8fe5788f7

        SHA512

        f4498a3c1df15c426c381faa1c549549418061539ad4b87b20f7d996af1a7a599ddb36d05f650c28412e07d1d38d348d44afa2a94f604bed16ac5bf858ac988a

      • C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

        Filesize

        763KB

        MD5

        0a7d89eb1cc9ed86183d6cc08c004ba3

        SHA1

        6a12bbfa326dd92c5118ed07536fb8908ccc4d02

        SHA256

        73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8

        SHA512

        75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

      • C:\Users\Admin\AppData\Local\Temp\xrnrdhheniuijyhhuyzkxxkrlapoxfdhpnjhzgohfgecpyjrxq.dll

        Filesize

        763KB

        MD5

        0a7d89eb1cc9ed86183d6cc08c004ba3

        SHA1

        6a12bbfa326dd92c5118ed07536fb8908ccc4d02

        SHA256

        73621fdd560b242fdb88c777b08e942701cba31df0954781702891879812caf8

        SHA512

        75317829ce34323f57898187532ac4424ab9d2271a3007453f5049390f21059a181bf5ce37b5f237290cb3da62789ee54a5efa0c9fc04b3dd4ffc2efbe5c3e1c

      • memory/4188-41-0x000001865E120000-0x000001865E141000-memory.dmp

        Filesize

        132KB

      • memory/4188-42-0x000000006D7C0000-0x000000006D887000-memory.dmp

        Filesize

        796KB

      • memory/4188-43-0x000001865E120000-0x000001865E141000-memory.dmp

        Filesize

        132KB