Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
27/10/2023, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
PDF20378644327750.js
Resource
win7-20231023-en
General
-
Target
PDF20378644327750.js
-
Size
1.1MB
-
MD5
5439e605a33011803acd31ef4f2475cd
-
SHA1
aeda29b5df8c6c32675a645c89e78cd1cb9263d0
-
SHA256
93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
-
SHA512
3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc
-
SSDEEP
24576:rD+huwawbnTLwVB6RlTpeUSDNu9xclel+zFz8j7c:IX+r
Malware Config
Extracted
strela
91.215.85.209
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2664 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1160 1704 wscript.exe 28 PID 1704 wrote to memory of 1160 1704 wscript.exe 28 PID 1704 wrote to memory of 1160 1704 wscript.exe 28 PID 1160 wrote to memory of 2668 1160 cmd.exe 30 PID 1160 wrote to memory of 2668 1160 cmd.exe 30 PID 1160 wrote to memory of 2668 1160 cmd.exe 30 PID 1160 wrote to memory of 2716 1160 cmd.exe 31 PID 1160 wrote to memory of 2716 1160 cmd.exe 31 PID 1160 wrote to memory of 2716 1160 cmd.exe 31 PID 1160 wrote to memory of 2664 1160 cmd.exe 32 PID 1160 wrote to memory of 2664 1160 cmd.exe 32 PID 1160 wrote to memory of 2664 1160 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\findstr.exefindstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""3⤵PID:2668
-
-
C:\Windows\system32\certutil.execertutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll3⤵PID:2716
-
-
C:\Windows\system32\rundll32.exerundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x3⤵
- Loads dropped DLL
PID:2664
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7
-
Filesize
1.1MB
MD55439e605a33011803acd31ef4f2475cd
SHA1aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA25693e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA5123f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc
-
Filesize
1.1MB
MD55439e605a33011803acd31ef4f2475cd
SHA1aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA25693e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA5123f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc
-
Filesize
1.0MB
MD5bbc12e812d451b56e262307e517a7a07
SHA1d2cc933d7b98dfe76c8806cf7b3727cf208dfecd
SHA2566d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869
SHA5121fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7