Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2023, 10:34

General

  • Target

    PDF20378644327750.js

  • Size

    1.1MB

  • MD5

    5439e605a33011803acd31ef4f2475cd

  • SHA1

    aeda29b5df8c6c32675a645c89e78cd1cb9263d0

  • SHA256

    93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98

  • SHA512

    3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

  • SSDEEP

    24576:rD+huwawbnTLwVB6RlTpeUSDNu9xclel+zFz8j7c:IX+r

Score
10/10

Malware Config

Extracted

Family

strela

C2

91.215.85.209

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\system32\findstr.exe
        findstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""
        3⤵
          PID:2668
        • C:\Windows\system32\certutil.exe
          certutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll
          3⤵
            PID:2716
          • C:\Windows\system32\rundll32.exe
            rundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x
            3⤵
            • Loads dropped DLL
            PID:2664

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

        Filesize

        790KB

        MD5

        1376545af4612c696f527acb2e5de091

        SHA1

        59fdb448fc3169edb06cae100063444df9118397

        SHA256

        b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1

        SHA512

        ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

      • C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat

        Filesize

        1.1MB

        MD5

        5439e605a33011803acd31ef4f2475cd

        SHA1

        aeda29b5df8c6c32675a645c89e78cd1cb9263d0

        SHA256

        93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98

        SHA512

        3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

      • C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat

        Filesize

        1.1MB

        MD5

        5439e605a33011803acd31ef4f2475cd

        SHA1

        aeda29b5df8c6c32675a645c89e78cd1cb9263d0

        SHA256

        93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98

        SHA512

        3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

      • C:\Users\Admin\AppData\Local\Temp\wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt

        Filesize

        1.0MB

        MD5

        bbc12e812d451b56e262307e517a7a07

        SHA1

        d2cc933d7b98dfe76c8806cf7b3727cf208dfecd

        SHA256

        6d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869

        SHA512

        1fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755

      • \Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

        Filesize

        790KB

        MD5

        1376545af4612c696f527acb2e5de091

        SHA1

        59fdb448fc3169edb06cae100063444df9118397

        SHA256

        b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1

        SHA512

        ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

      • \Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

        Filesize

        790KB

        MD5

        1376545af4612c696f527acb2e5de091

        SHA1

        59fdb448fc3169edb06cae100063444df9118397

        SHA256

        b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1

        SHA512

        ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

      • \Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

        Filesize

        790KB

        MD5

        1376545af4612c696f527acb2e5de091

        SHA1

        59fdb448fc3169edb06cae100063444df9118397

        SHA256

        b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1

        SHA512

        ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

      • \Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

        Filesize

        790KB

        MD5

        1376545af4612c696f527acb2e5de091

        SHA1

        59fdb448fc3169edb06cae100063444df9118397

        SHA256

        b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1

        SHA512

        ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

      • memory/2664-44-0x000000006D7C0000-0x000000006D88D000-memory.dmp

        Filesize

        820KB

      • memory/2664-45-0x0000000000100000-0x0000000000121000-memory.dmp

        Filesize

        132KB

      • memory/2664-46-0x0000000000100000-0x0000000000121000-memory.dmp

        Filesize

        132KB