Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-01-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_17885_2045310320.js
Resource
win7-20231215-en
General
-
Target
INVOICE_17885_2045310320.js
-
Size
5.3MB
-
MD5
a3134285c9755a420030fc7622e231e1
-
SHA1
eae99bc500c42855c20852865a1dec2f3dfff4d0
-
SHA256
a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4
-
SHA512
be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3
-
SSDEEP
24576:38Fs5UQdcN5s35iYf3EC31nVRJcrrev1runFRy0DA0GVk23dBqxr/oWdjfdXHMn0:5oyDeC8LbQGEUbUm
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1728 rundll32.exe 1728 rundll32.exe 1728 rundll32.exe 1728 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2292 2796 wscript.exe 28 PID 2796 wrote to memory of 2292 2796 wscript.exe 28 PID 2796 wrote to memory of 2292 2796 wscript.exe 28 PID 2292 wrote to memory of 2732 2292 cmd.exe 30 PID 2292 wrote to memory of 2732 2292 cmd.exe 30 PID 2292 wrote to memory of 2732 2292 cmd.exe 30 PID 2292 wrote to memory of 1680 2292 cmd.exe 31 PID 2292 wrote to memory of 1680 2292 cmd.exe 31 PID 2292 wrote to memory of 1680 2292 cmd.exe 31 PID 2292 wrote to memory of 1968 2292 cmd.exe 32 PID 2292 wrote to memory of 1968 2292 cmd.exe 32 PID 2292 wrote to memory of 1968 2292 cmd.exe 32 PID 1968 wrote to memory of 1728 1968 cmd.exe 33 PID 1968 wrote to memory of 1728 1968 cmd.exe 33 PID 1968 wrote to memory of 1728 1968 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js1⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\findstr.exefindstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""3⤵PID:2732
-
-
C:\Windows\system32\certutil.execertutil -f -decode jellyfascinated pastoraldisturbed.dll3⤵PID:1680
-
-
C:\Windows\system32\cmd.execmd /c rundll32 pastoraldisturbed.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\rundll32.exerundll32 pastoraldisturbed.dll,x4⤵
- Loads dropped DLL
PID:1728
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
969KB
MD5d13b3301032f805c7ef6c4db65ab7517
SHA1e41ef07de3d051e5b48e26e3ee9bef3655df2b1c
SHA2567535ebd4df3bd62a496c03ba8cf206a90975617822509bb1dbd3201898b1f542
SHA512099f1aad424a74cbc4ebe76356be6370796ad26ecf3eb9e212df8e100fadc00eff5dc8e3b1376f2a8d683a904d7b22394c1420a42bf6be8f843cce4e1c06fd17
-
Filesize
651KB
MD5d49ebbe435403196599ac66609fb9ed6
SHA10078e421e01c7dd1f0a07b02ce81acfb8a814996
SHA2565bf9a3416abddcb0761f9dae2512ac2d840d23f1b3ae870fef73dd249c48a26b
SHA512d7b129a10c6f4792302178a8799b7bd9b3197b1548a1fa35817f0671bdef8088f3c50dc894615b9b8fddc5deadb30ea2db8665e53d5f40bf79a15a79391285bf
-
Filesize
5.3MB
MD5a3134285c9755a420030fc7622e231e1
SHA1eae99bc500c42855c20852865a1dec2f3dfff4d0
SHA256a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4
SHA512be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3
-
Filesize
3.3MB
MD50a2442a55a7c864f5521f77692123503
SHA1f13f71c1ae76f37aa764baf9116424c9ee6c2bab
SHA256b73e9d1ef20dc259a939b0156bdef390b7b06791726d7c39e68e0bd4d138f8da
SHA512fb275a65ed287b8f5ffc10576015e45ed1770dae74846e5cdf98e680a51b915791b79e48bf3dbbbaf9bef652220f662603bcc684f89ef37354022f1d561f335b
-
Filesize
1.2MB
MD5a9e2379ab5ea2bf143d3a6c1fc32cae2
SHA10168e1e0824a3034043aac75e3181cc4d2bcd3cc
SHA256ebec35dbc6046aea1baa205c83eca4cb34c914481845c1d61c94721e8b20a5fb
SHA512b260f2eed9778951087741a2b8ead05c234eaf7e32afa966740f6b13ad1bb4a1ae79c0494c55baeeeec7df8dfaa28d749f3d8f208739da6e748100f15527b166
-
Filesize
718KB
MD536300033218ae6f442138fa587d16fa8
SHA1c7f7d45b26844016feebd482849e04117508492e
SHA256a879db27e8045ea131a84cb620062b16420393a3503432efd3bbab7c03135140
SHA51245738d3ac27834fde52fcd4fb232eb1abbfa8b60f44cc6aa107bddd852cddaafc33a3980d347a119238295bd0bf0e031eba22b3ff0aaf65e7b551475f9dc4732
-
Filesize
767KB
MD56614f476fb63899ad46ba6a16d63acdf
SHA17893c04aab53ed46bb619d9daa09d3eea6d13b27
SHA2562efc86df4c610345726344329166b23c603ad65d4f4568dafc2be4ae87f487d7
SHA5125690dd8ace834d17d76f20935de9e0efea60233ca498f15bebd8a74e9a75098b99f0763ace1f81631e0dc8bb9b5a7124cce126b51c508d439ca53d3d48684d53
-
Filesize
754KB
MD5a3d946e2257b73855ec73e7e88f678ec
SHA159f744b63e0b7b3f96a3fd547e1f3ee2f55264e3
SHA256b7d09a665f1cef173b356cb5e247e8772191509aeb4bb9207702a7086772a5fa
SHA51273c0fd2834f19f4195163f79f1b5d7087e65897ae1fc4371bf9f565ae7128d518f702b435b41b5a87687f0b3aba47f77bf26660db5b13a94418a298a77887802