Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 10:31

General

  • Target

    INVOICE_17885_2045310320.js

  • Size

    5.3MB

  • MD5

    a3134285c9755a420030fc7622e231e1

  • SHA1

    eae99bc500c42855c20852865a1dec2f3dfff4d0

  • SHA256

    a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4

  • SHA512

    be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3

  • SSDEEP

    24576:38Fs5UQdcN5s35iYf3EC31nVRJcrrev1runFRy0DA0GVk23dBqxr/oWdjfdXHMn0:5oyDeC8LbQGEUbUm

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Windows\system32\findstr.exe
        findstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""
        3⤵
          PID:3444
        • C:\Windows\system32\certutil.exe
          certutil -f -decode jellyfascinated pastoraldisturbed.dll
          3⤵
            PID:2416
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 pastoraldisturbed.dll,x
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1760
      • C:\Windows\system32\rundll32.exe
        rundll32 pastoraldisturbed.dll,x
        1⤵
        • Loads dropped DLL
        PID:772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\jellyfascinated

        Filesize

        5.2MB

        MD5

        f25ccc6a8ea2939b56ba49c565315a09

        SHA1

        dd7e6834d648fc6e23a4e786f663f6b8956822a0

        SHA256

        650cf0f80f4a18c0ace89fcc09782c2cfbe3c5b4326dc30e731bf06325fbeee3

        SHA512

        d9da2bff35c1362b4b6422bc17ae8b5f264a697d0d4af9c3c8d8f7bcce8b327e994399f9fa619e9f63c66d505da73232c0832327b3b084c1fe6649f8761aca89

      • C:\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

        Filesize

        3.9MB

        MD5

        8c895b48f64861004d2b88f62c01822f

        SHA1

        00fee5c36ad5037b48d4ed031d485a1a20245258

        SHA256

        20e1ff405cc7cae8fceb2a885198ce75db79f47a1e96972948a17a86ebf31345

        SHA512

        bc99b7fb3079bed612f0814267ed7acb6901e4259785abda4cf2e8ab50feb2c6a6012bb403ea521dd478783f76edd0bf2362feceed4bee06287aad55536c4697

      • C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat

        Filesize

        5.3MB

        MD5

        a3134285c9755a420030fc7622e231e1

        SHA1

        eae99bc500c42855c20852865a1dec2f3dfff4d0

        SHA256

        a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4

        SHA512

        be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3

      • memory/772-6834-0x00007FF9A8400000-0x00007FF9A87E5000-memory.dmp

        Filesize

        3.9MB

      • memory/772-6835-0x0000015E59720000-0x0000015E59741000-memory.dmp

        Filesize

        132KB

      • memory/772-6836-0x0000015E59720000-0x0000015E59741000-memory.dmp

        Filesize

        132KB