Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2023, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
PDF20378644327750.js
Resource
win7-20231023-en
General
-
Target
PDF20378644327750.js
-
Size
1.1MB
-
MD5
5439e605a33011803acd31ef4f2475cd
-
SHA1
aeda29b5df8c6c32675a645c89e78cd1cb9263d0
-
SHA256
93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
-
SHA512
3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc
-
SSDEEP
24576:rD+huwawbnTLwVB6RlTpeUSDNu9xclel+zFz8j7c:IX+r
Malware Config
Extracted
strela
91.215.85.209
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 388 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2576 wrote to memory of 5084 2576 wscript.exe 85 PID 2576 wrote to memory of 5084 2576 wscript.exe 85 PID 5084 wrote to memory of 2540 5084 cmd.exe 87 PID 5084 wrote to memory of 2540 5084 cmd.exe 87 PID 5084 wrote to memory of 2140 5084 cmd.exe 93 PID 5084 wrote to memory of 2140 5084 cmd.exe 93 PID 5084 wrote to memory of 388 5084 cmd.exe 94 PID 5084 wrote to memory of 388 5084 cmd.exe 94
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\findstr.exefindstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""3⤵PID:2540
-
-
C:\Windows\system32\certutil.execertutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll3⤵PID:2140
-
-
C:\Windows\system32\rundll32.exerundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x3⤵
- Loads dropped DLL
PID:388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7
-
Filesize
790KB
MD51376545af4612c696f527acb2e5de091
SHA159fdb448fc3169edb06cae100063444df9118397
SHA256b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7
-
Filesize
1.1MB
MD55439e605a33011803acd31ef4f2475cd
SHA1aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA25693e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA5123f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc
-
Filesize
1.1MB
MD55439e605a33011803acd31ef4f2475cd
SHA1aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA25693e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA5123f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc
-
Filesize
1.0MB
MD5bbc12e812d451b56e262307e517a7a07
SHA1d2cc933d7b98dfe76c8806cf7b3727cf208dfecd
SHA2566d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869
SHA5121fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755