Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2023, 11:04

General

  • Target

    FACTURA_1478723101.js

  • Size

    5.3MB

  • MD5

    3db5b96e1c9cf4583ea95d83152fd173

  • SHA1

    e48cd61c57d0140096840aeb199a300af6423936

  • SHA256

    6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16

  • SHA512

    6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

  • SSDEEP

    24576:tEnUMmLNPWqdwkDYALLZiii+n+luT0Bnk2bAMJViCy7vItYk7923U9m2m/El1FID:yUh88LD6dJVijG2ePl1HxCWJZAUbUX

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_1478723101.js" "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat" && "C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\system32\findstr.exe
        findstr /V curecarve ""C:\Users\Admin\AppData\Local\Temp\\pinphysical.bat""
        3⤵
          PID:2496
        • C:\Windows\system32\certutil.exe
          certutil -f -decode vivacioussecond partoverwrought.dll
          3⤵
            PID:456
          • C:\Windows\system32\regsvr32.exe
            regsvr32 partoverwrought.dll
            3⤵
            • Loads dropped DLL
            PID:732

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll

        Filesize

        3.9MB

        MD5

        ce18786cd944962504bc77bb973294f8

        SHA1

        63291da25e666fa08a063086b10dc42e593b8067

        SHA256

        a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99

        SHA512

        ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2

      • C:\Users\Admin\AppData\Local\Temp\partoverwrought.dll

        Filesize

        3.9MB

        MD5

        ce18786cd944962504bc77bb973294f8

        SHA1

        63291da25e666fa08a063086b10dc42e593b8067

        SHA256

        a8fadc416e4dcbd16da7cb752260044bbabec205c9e73f46b79fe06aab4ceb99

        SHA512

        ace0d6b322526a342f692bfbb720756cfa312a4a0d1037f05306639aa4094ec9149d9f146ec6fdd267df8b744f9816703a7a4e31f433ed3cde788bf826ed34a2

      • C:\Users\Admin\AppData\Local\Temp\pinphysical.bat

        Filesize

        5.3MB

        MD5

        3db5b96e1c9cf4583ea95d83152fd173

        SHA1

        e48cd61c57d0140096840aeb199a300af6423936

        SHA256

        6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16

        SHA512

        6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

      • C:\Users\Admin\AppData\Local\Temp\pinphysical.bat

        Filesize

        5.3MB

        MD5

        3db5b96e1c9cf4583ea95d83152fd173

        SHA1

        e48cd61c57d0140096840aeb199a300af6423936

        SHA256

        6a2ba302bcf65d2520ecd5d477ed382a1b0d6bb010b84f1ee0f2223bef84ba16

        SHA512

        6fe9ba142bdb830ae1c073f20968df4a2958b7a9959a3ce3cf513038c0503048cd9f93b8be06035b34927ec0358e8c0349ed5efd81a91c50fa2ee0f904672feb

      • C:\Users\Admin\AppData\Local\Temp\vivacioussecond

        Filesize

        5.3MB

        MD5

        acfa429912a2488f208734d0a9b39c55

        SHA1

        e4259ddb9c0c8ba037016c32da0782633b8536de

        SHA256

        d6ff5a3f5437351df4da8f9b335980d596299ac077f4b8c20062eb073af7bcfb

        SHA512

        087bcc0c74fd48fb76d1ad4e5513de69c4a8684e47324829d3b84e9f3a08fcc2a2c9629176d5f19bf4e1ecdc171eda535326b29d3bec16edb644021c0883ef10

      • memory/732-5607-0x0000000000BD0000-0x0000000000BF1000-memory.dmp

        Filesize

        132KB

      • memory/732-5608-0x000000006D7C0000-0x000000006DBB6000-memory.dmp

        Filesize

        4.0MB