Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2023, 11:04

General

  • Target

    FACTURA_3104517939.js

  • Size

    5.8MB

  • MD5

    327a373e0e25a1c2092382a4afae2e08

  • SHA1

    7ddd453a6bf635d46241700a34e51b8dba8f0d6c

  • SHA256

    35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee

  • SHA512

    b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

  • SSDEEP

    24576:deQRxTsUSP8m3z+YOxemo3gD8D3xQZIw57xOfRP/Qjuzwn57g4P0PhFsLpIq2vEn:TRXmjuQ4uRPRMQRvrjrqn3W14UbU1

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_3104517939.js" "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat" && "C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\system32\findstr.exe
        findstr /V strangestriped ""C:\Users\Admin\AppData\Local\Temp\\synonymoussad.bat""
        3⤵
          PID:3064
        • C:\Windows\system32\certutil.exe
          certutil -f -decode upsetbusy womanselection.dll
          3⤵
            PID:1456
          • C:\Windows\system32\regsvr32.exe
            regsvr32 womanselection.dll
            3⤵
            • Loads dropped DLL
            PID:1352

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat

        Filesize

        5.8MB

        MD5

        327a373e0e25a1c2092382a4afae2e08

        SHA1

        7ddd453a6bf635d46241700a34e51b8dba8f0d6c

        SHA256

        35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee

        SHA512

        b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

      • C:\Users\Admin\AppData\Local\Temp\synonymoussad.bat

        Filesize

        5.8MB

        MD5

        327a373e0e25a1c2092382a4afae2e08

        SHA1

        7ddd453a6bf635d46241700a34e51b8dba8f0d6c

        SHA256

        35843ae0b4d7d0b3839eebba3feb980ee9b5f583e0b778624d593d29741fa2ee

        SHA512

        b826d094b1dfd83290920f11037a5b09b1a4f2bd5def4752a8848fd317acc75a36ff8f3d08c3d35f6a00b0d591f4b63b838b6d351efaa8476b502796d558daeb

      • C:\Users\Admin\AppData\Local\Temp\upsetbusy

        Filesize

        5.7MB

        MD5

        f183d3d74b21c168d931f48c372bf431

        SHA1

        864b7511699f642d0f0662be59c6154faf89fa10

        SHA256

        e4064513a6c8a3a27453d81903c55ae55f33eae855339473ff1bc5b6969e235e

        SHA512

        92db029907e42fd3a236c1860545907c0376aa5f1f68eff6671632271736ea14ec78fc16184317c3d8f990fdcd8d84555d86e92c2291822af66fd96072440311

      • C:\Users\Admin\AppData\Local\Temp\womanselection.dll

        Filesize

        4.2MB

        MD5

        477f1313691864a4176c1666640dcccf

        SHA1

        39d05d2753ab358bf284ab43f32502aa11b35976

        SHA256

        48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17

        SHA512

        d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b

      • C:\Users\Admin\AppData\Local\Temp\womanselection.dll

        Filesize

        4.2MB

        MD5

        477f1313691864a4176c1666640dcccf

        SHA1

        39d05d2753ab358bf284ab43f32502aa11b35976

        SHA256

        48d1c1200b9f8b22be670df8c8b1c50237b867f12986338255fd72bf973b5a17

        SHA512

        d1edd127cfab80d35275c2230f2b52e7fcc3fa449e6d0ed273246fed6d5573855949fa504ce54c8adc5cb31831d33bb54ec0024473381994cf5f78f18981642b

      • memory/1352-7996-0x000000006D7C0000-0x000000006DC06000-memory.dmp

        Filesize

        4.3MB

      • memory/1352-7995-0x0000000001080000-0x00000000010A1000-memory.dmp

        Filesize

        132KB