Overview
overview
10Static
static
1FACTURA_1714631916.js
windows7-x64
10FACTURA_1714631916.js
windows10-2004-x64
10FACTURA_1478723101.js
windows7-x64
10FACTURA_1478723101.js
windows10-2004-x64
10FACTURA_3104517939.js
windows7-x64
10FACTURA_3104517939.js
windows10-2004-x64
10FACTURA_50862162.js
windows7-x64
10FACTURA_50862162.js
windows10-2004-x64
10PDF20218238767362.js
windows7-x64
10PDF20218238767362.js
windows10-2004-x64
10FACTURA_1324819148.js
windows7-x64
10FACTURA_1324819148.js
windows10-2004-x64
10PDF247791026727441.js
windows7-x64
10PDF247791026727441.js
windows10-2004-x64
101258293779...be.zip
windows7-x64
11258293779...be.zip
windows10-2004-x64
11258293779...d8.zip
windows7-x64
11258293779...d8.zip
windows10-2004-x64
11258293779...22.zip
windows7-x64
11258293779...22.zip
windows10-2004-x64
11258293779...af.zip
windows7-x64
11258293779...af.zip
windows10-2004-x64
11258293779...6b.zip
windows7-x64
11258293779...6b.zip
windows10-2004-x64
11258293779...0b.zip
windows7-x64
11258293779...0b.zip
windows10-2004-x64
11258293779...25.zip
windows7-x64
11258293779...25.zip
windows10-2004-x64
11258293779...13.zip
windows7-x64
11258293779...13.zip
windows10-2004-x64
11258293779...e2.zip
windows7-x64
11258293779...e2.zip
windows10-2004-x64
1Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2023, 11:04
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA_1714631916.js
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
FACTURA_1714631916.js
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
FACTURA_1478723101.js
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
FACTURA_1478723101.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
FACTURA_3104517939.js
Resource
win7-20231025-en
Behavioral task
behavioral6
Sample
FACTURA_3104517939.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral7
Sample
FACTURA_50862162.js
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
FACTURA_50862162.js
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
PDF20218238767362.js
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
PDF20218238767362.js
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
FACTURA_1324819148.js
Resource
win7-20231023-en
Behavioral task
behavioral12
Sample
FACTURA_1324819148.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
PDF247791026727441.js
Resource
win7-20231020-en
Behavioral task
behavioral14
Sample
PDF247791026727441.js
Resource
win10v2004-20231025-en
Behavioral task
behavioral15
Sample
12582937793/b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
12582937793/b88e361f5db949317650956480502f6391359798fd85c0341c8c43c30fc361be.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral17
Sample
12582937793/c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
12582937793/c1158c88f7951a14ff2436e679719e1b57d56002f1050b340b1fdd9bf37ee4d8.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral19
Sample
12582937793/ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip
Resource
win7-20231020-en
Behavioral task
behavioral20
Sample
12582937793/ccd10d0c856a95beeffdd47f9e6530e71f23b2f3700c6fa609acfe262d5f1522.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral21
Sample
12582937793/cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip
Resource
win7-20231025-en
Behavioral task
behavioral22
Sample
12582937793/cea14b7d1bffe66e3139930602537416b723f2b685e08d5680fc677c5730d4af.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral23
Sample
12582937793/cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip
Resource
win7-20231023-en
Behavioral task
behavioral24
Sample
12582937793/cfd9efc4bcffd83c78da7165035918144b394a79b2fb60305f8993e35ee2986b.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral25
Sample
12582937793/d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip
Resource
win7-20231023-en
Behavioral task
behavioral26
Sample
12582937793/d0fd7e32bf5ce2e1781ad484e03644d58122912eb5b88de3ffbf3fa12d09c80b.zip
Resource
win10v2004-20231025-en
Behavioral task
behavioral27
Sample
12582937793/da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip
Resource
win7-20231023-en
Behavioral task
behavioral28
Sample
12582937793/da6db77248718ea9cb22ea8b99d3030aa2838d241fdd2f64dbaaf60b02903f25.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral29
Sample
12582937793/da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip
Resource
win7-20231020-en
Behavioral task
behavioral30
Sample
12582937793/da9a74db58c63c627e43a42e4b1f368cd13a34795e185414283393b9a4dcb813.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral31
Sample
12582937793/df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip
Resource
win7-20231023-en
Behavioral task
behavioral32
Sample
12582937793/df041e0c1f5e2a8cbdf2b7c77c21cc8892a010172ee77ce9b1f63629e0fd9ee2.zip
Resource
win10v2004-20231023-en
General
-
Target
PDF247791026727441.js
-
Size
1.1MB
-
MD5
c41b0c8acc549b2356e6a0ef252955e8
-
SHA1
21e762814c7fad20f4c40b9c8a96cc5c4e92b096
-
SHA256
64069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
-
SHA512
7f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72
-
SSDEEP
24576:3shJIALBa0nNM/1ZM1LnlJsa/peyYrn65H28izN27D:R8D
Malware Config
Extracted
strela
91.215.85.209
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 3112 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4972 4464 wscript.exe 85 PID 4464 wrote to memory of 4972 4464 wscript.exe 85 PID 4972 wrote to memory of 1268 4972 cmd.exe 87 PID 4972 wrote to memory of 1268 4972 cmd.exe 87 PID 4972 wrote to memory of 4132 4972 cmd.exe 93 PID 4972 wrote to memory of 4132 4972 cmd.exe 93 PID 4972 wrote to memory of 3112 4972 cmd.exe 94 PID 4972 wrote to memory of 3112 4972 cmd.exe 94
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF247791026727441.js" "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat" && "C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\findstr.exefindstr /V dwxhhghdszkwxfyzjjjbfasobxdivpofqrabxdjslzwladvmtu ""C:\Users\Admin\AppData\Local\Temp\\pnuicfpusbibgcnasijrcejkvapintqfmdzfkkbxqiikjfqleh.bat""3⤵PID:1268
-
-
C:\Windows\system32\certutil.execertutil -f -decode ydehnrtmtaxivskgglhryiuutrxcsrpkzqcstwyelzxxzmxtxc iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll3⤵PID:4132
-
-
C:\Windows\system32\rundll32.exerundll32 iiwirxhqdzahhemwawhlgzvhaeojmmujuaajzhmfanrbnobzlv.dll,x3⤵
- Loads dropped DLL
PID:3112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
791KB
MD5eaf3750d024b66e57d731ecd3eb4d6c2
SHA17f70594c99523d1e25e11424762d7b5f5adc6f43
SHA2567a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA51245de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de
-
Filesize
791KB
MD5eaf3750d024b66e57d731ecd3eb4d6c2
SHA17f70594c99523d1e25e11424762d7b5f5adc6f43
SHA2567a4d34794aa0fd9b70bed2a9446bd060496f31e1ee52084a4c0c08ce1f1346b6
SHA51245de48b7b4c59e96ba1422a2bfa68d138f4f63e1ae3e125e3880022504fe60c72a8f14047d015be953f3aad13be0a4ea99178d7525af9d8baf7de1c232d862de
-
Filesize
1.1MB
MD5c41b0c8acc549b2356e6a0ef252955e8
SHA121e762814c7fad20f4c40b9c8a96cc5c4e92b096
SHA25664069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
SHA5127f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72
-
Filesize
1.1MB
MD5c41b0c8acc549b2356e6a0ef252955e8
SHA121e762814c7fad20f4c40b9c8a96cc5c4e92b096
SHA25664069ffa43a427fb63754153895054ece510e28adc6485d59d62a52a0a83539b
SHA5127f018455048bf53a71f3dd15334fb6f07ba5f03f59be0f6b6296a1d18f471af9916f57115b3fe84445e10b07ed644939afd8897e1538aa7c113e29a442fe4a72
-
Filesize
1.0MB
MD5bb8e896461540afc2b9c2267f2589536
SHA1d53dd7d0fbd78cd40fdacca15c43ddcd87b593f3
SHA25629a79976e3fd2c26fa3f572a5838768375796946ddca4ac0e0c4aef5e2f9b26a
SHA51261900661ddc5c5fa2f3236a04884044c13d2ac28511f4bfd61013f9f63811b795187a3bec83d71459db17c553bee8ec81ae82944819aeeada4d43750505a8e34