Analysis Overview
SHA256
afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837
Threat Level: Known bad
The file INVOICE_87016385.js was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-01 16:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-01 16:16
Reported
2023-11-01 16:21
Platform
win7-20231020-en
Max time kernel
120s
Max time network
140s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js" "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat" && "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat"
C:\Windows\system32\findstr.exe
findstr /V strongcurious ""C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode watchbumpy continueapologise.dll
C:\Windows\system32\regsvr32.exe
regsvr32 continueapologise.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat
| MD5 | 534860a3a2a1ff00741586ef5bc75580 |
| SHA1 | 8f638188191e3539c288265aa3dc76ef3b68676b |
| SHA256 | afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837 |
| SHA512 | 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e |
C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat
| MD5 | 534860a3a2a1ff00741586ef5bc75580 |
| SHA1 | 8f638188191e3539c288265aa3dc76ef3b68676b |
| SHA256 | afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837 |
| SHA512 | 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e |
C:\Users\Admin\AppData\Local\Temp\watchbumpy
| MD5 | 1d48fd778f97a6de0da164e177cee7ff |
| SHA1 | 44acb8b0cb1b78f787a79f6a3feffe4c3f834004 |
| SHA256 | efa7388305de84157a5becba06a30852502bdf3daa6fec7090c92f3c8184e05b |
| SHA512 | 5c8b49c0c7917598a3925a62f74b8be2fc095fd4570113d2c877bd792bd068ce07a6669367659310bd0d69fd01ee94d4227adaaaacc9f130ee0c552fd15f069c |
C:\Users\Admin\AppData\Local\Temp\continueapologise.dll
| MD5 | 19ca30743fe72edf7bd26724d9086b84 |
| SHA1 | fbd5cc2e90817c689934994612027c2eb50c328b |
| SHA256 | fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b |
| SHA512 | f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea |
\Users\Admin\AppData\Local\Temp\continueapologise.dll
| MD5 | 19ca30743fe72edf7bd26724d9086b84 |
| SHA1 | fbd5cc2e90817c689934994612027c2eb50c328b |
| SHA256 | fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b |
| SHA512 | f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea |
memory/2480-4705-0x0000000000120000-0x0000000000141000-memory.dmp
memory/2480-4706-0x000000006D7C0000-0x000000006DA55000-memory.dmp
memory/2480-4707-0x0000000000120000-0x0000000000141000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-01 16:16
Reported
2023-11-01 16:19
Platform
win10v2004-20231023-en
Max time kernel
141s
Max time network
198s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 408 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 1504 wrote to memory of 408 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\cmd.exe |
| PID 408 wrote to memory of 780 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 408 wrote to memory of 780 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 408 wrote to memory of 3772 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 408 wrote to memory of 3772 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 408 wrote to memory of 1932 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
| PID 408 wrote to memory of 1932 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js" "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat" && "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat"
C:\Windows\system32\findstr.exe
findstr /V strongcurious ""C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode watchbumpy continueapologise.dll
C:\Windows\system32\regsvr32.exe
regsvr32 continueapologise.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat
| MD5 | 534860a3a2a1ff00741586ef5bc75580 |
| SHA1 | 8f638188191e3539c288265aa3dc76ef3b68676b |
| SHA256 | afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837 |
| SHA512 | 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e |
C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat
| MD5 | 534860a3a2a1ff00741586ef5bc75580 |
| SHA1 | 8f638188191e3539c288265aa3dc76ef3b68676b |
| SHA256 | afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837 |
| SHA512 | 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e |
C:\Users\Admin\AppData\Local\Temp\watchbumpy
| MD5 | 1d48fd778f97a6de0da164e177cee7ff |
| SHA1 | 44acb8b0cb1b78f787a79f6a3feffe4c3f834004 |
| SHA256 | efa7388305de84157a5becba06a30852502bdf3daa6fec7090c92f3c8184e05b |
| SHA512 | 5c8b49c0c7917598a3925a62f74b8be2fc095fd4570113d2c877bd792bd068ce07a6669367659310bd0d69fd01ee94d4227adaaaacc9f130ee0c552fd15f069c |
C:\Users\Admin\AppData\Local\Temp\continueapologise.dll
| MD5 | 19ca30743fe72edf7bd26724d9086b84 |
| SHA1 | fbd5cc2e90817c689934994612027c2eb50c328b |
| SHA256 | fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b |
| SHA512 | f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea |
C:\Users\Admin\AppData\Local\Temp\continueapologise.dll
| MD5 | 19ca30743fe72edf7bd26724d9086b84 |
| SHA1 | fbd5cc2e90817c689934994612027c2eb50c328b |
| SHA256 | fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b |
| SHA512 | f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea |
memory/1932-4705-0x0000000002B10000-0x0000000002B31000-memory.dmp
memory/1932-4706-0x000000006D7C0000-0x000000006DA55000-memory.dmp