Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_17885_2045310320.js
Resource
win7-20231215-en
General
-
Target
INVOICE_17885_2045310320.js
-
Size
5.3MB
-
MD5
a3134285c9755a420030fc7622e231e1
-
SHA1
eae99bc500c42855c20852865a1dec2f3dfff4d0
-
SHA256
a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4
-
SHA512
be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3
-
SSDEEP
24576:38Fs5UQdcN5s35iYf3EC31nVRJcrrev1runFRy0DA0GVk23dBqxr/oWdjfdXHMn0:5oyDeC8LbQGEUbUm
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 772 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 392 wrote to memory of 4672 392 wscript.exe 87 PID 392 wrote to memory of 4672 392 wscript.exe 87 PID 4672 wrote to memory of 3444 4672 cmd.exe 99 PID 4672 wrote to memory of 3444 4672 cmd.exe 99 PID 4672 wrote to memory of 2416 4672 cmd.exe 100 PID 4672 wrote to memory of 2416 4672 cmd.exe 100 PID 4672 wrote to memory of 1760 4672 cmd.exe 102 PID 4672 wrote to memory of 1760 4672 cmd.exe 102 PID 1760 wrote to memory of 772 1760 cmd.exe 101 PID 1760 wrote to memory of 772 1760 cmd.exe 101
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\findstr.exefindstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""3⤵PID:3444
-
-
C:\Windows\system32\certutil.execertutil -f -decode jellyfascinated pastoraldisturbed.dll3⤵PID:2416
-
-
C:\Windows\system32\cmd.execmd /c rundll32 pastoraldisturbed.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:1760
-
-
-
C:\Windows\system32\rundll32.exerundll32 pastoraldisturbed.dll,x1⤵
- Loads dropped DLL
PID:772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5f25ccc6a8ea2939b56ba49c565315a09
SHA1dd7e6834d648fc6e23a4e786f663f6b8956822a0
SHA256650cf0f80f4a18c0ace89fcc09782c2cfbe3c5b4326dc30e731bf06325fbeee3
SHA512d9da2bff35c1362b4b6422bc17ae8b5f264a697d0d4af9c3c8d8f7bcce8b327e994399f9fa619e9f63c66d505da73232c0832327b3b084c1fe6649f8761aca89
-
Filesize
3.9MB
MD58c895b48f64861004d2b88f62c01822f
SHA100fee5c36ad5037b48d4ed031d485a1a20245258
SHA25620e1ff405cc7cae8fceb2a885198ce75db79f47a1e96972948a17a86ebf31345
SHA512bc99b7fb3079bed612f0814267ed7acb6901e4259785abda4cf2e8ab50feb2c6a6012bb403ea521dd478783f76edd0bf2362feceed4bee06287aad55536c4697
-
Filesize
5.3MB
MD5a3134285c9755a420030fc7622e231e1
SHA1eae99bc500c42855c20852865a1dec2f3dfff4d0
SHA256a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4
SHA512be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3