Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2023, 11:04

General

  • Target

    FACTURA_50862162.js

  • Size

    5.9MB

  • MD5

    06b78388e5785d4b2933672d4e9ded74

  • SHA1

    fe7ce04cbcd5de3d4b17034149518c325441b6db

  • SHA256

    0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b

  • SHA512

    64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

  • SSDEEP

    49152:51yd7H3OYveKL0mtPYAlwXeri41LRWUbU1:1cc

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_50862162.js" "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat" && "C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\system32\findstr.exe
        findstr /V carelesspart ""C:\Users\Admin\AppData\Local\Temp\\mercifullean.bat""
        3⤵
          PID:2056
        • C:\Windows\system32\certutil.exe
          certutil -f -decode spraydevelop tailstitch.dll
          3⤵
            PID:1524
          • C:\Windows\system32\regsvr32.exe
            regsvr32 tailstitch.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1332

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\mercifullean.bat

        Filesize

        5.9MB

        MD5

        06b78388e5785d4b2933672d4e9ded74

        SHA1

        fe7ce04cbcd5de3d4b17034149518c325441b6db

        SHA256

        0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b

        SHA512

        64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

      • C:\Users\Admin\AppData\Local\Temp\mercifullean.bat

        Filesize

        5.9MB

        MD5

        06b78388e5785d4b2933672d4e9ded74

        SHA1

        fe7ce04cbcd5de3d4b17034149518c325441b6db

        SHA256

        0a2b6a17137991a8c39c1e7571ef211ed281fa7fc1d6691eba70bbacd40d739b

        SHA512

        64f02712551e733881978a84569f6d9eb27abfba4746f703d8b24894421d9f7ecb93bb91689a7faa197878231f659138f226f510d08ef02a8e57e4a03f7bb264

      • C:\Users\Admin\AppData\Local\Temp\spraydevelop

        Filesize

        5.8MB

        MD5

        00e6818fc3c6403b9e01ada5c7fa0aad

        SHA1

        bf9e6b1e58468109abab919553f7101e1a62ee8e

        SHA256

        e6da9f6b5dd70333dd333c24fdd72e74ea1352fb0fdfa6ed8fa58f3a3afa286a

        SHA512

        a05060086019d6455d458f79c631bb7d0b868b3bd57e9e2cef702e9ea73cd0c2996133fd7be30bc38c824719293f3ffe063008a1f2f26975efe80d2e749cc5aa

      • C:\Users\Admin\AppData\Local\Temp\tailstitch.dll

        Filesize

        4.4MB

        MD5

        11554db63b6bce5e73c385980d5bb0f4

        SHA1

        f7b6a42212981b29ce90f9a92b9a83b30772f970

        SHA256

        f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b

        SHA512

        cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982

      • \Users\Admin\AppData\Local\Temp\tailstitch.dll

        Filesize

        4.4MB

        MD5

        11554db63b6bce5e73c385980d5bb0f4

        SHA1

        f7b6a42212981b29ce90f9a92b9a83b30772f970

        SHA256

        f99c9e0477e89dafc30d9b1c91c4ee08e5f27e72c0966fb7a44cf7a8f8457c2b

        SHA512

        cec79e8f63012e5365441e289f4f5949b37b296f3a3d6fe60f27c37c1eca7334990b8a50d0aec60ac448aa1173be03b127c1a18fb96496093b341b76afff3982

      • memory/1332-9831-0x000000006D7C0000-0x000000006DC24000-memory.dmp

        Filesize

        4.4MB

      • memory/1332-9830-0x00000000001B0000-0x00000000001D1000-memory.dmp

        Filesize

        132KB

      • memory/1332-9832-0x00000000001B0000-0x00000000001D1000-memory.dmp

        Filesize

        132KB