Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_1877_1553532450.js
Resource
win7-20231215-en
General
-
Target
INVOICE_1877_1553532450.js
-
Size
5.3MB
-
MD5
34bcdbd3855b4a4354f3cd03e608440a
-
SHA1
6a8bf0531a981e6f567782801c5cfc0ef9f01a91
-
SHA256
14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
-
SHA512
55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
SSDEEP
24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1656 rundll32.exe 1656 rundll32.exe 1656 rundll32.exe 1656 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1988 wrote to memory of 288 1988 wscript.exe 28 PID 1988 wrote to memory of 288 1988 wscript.exe 28 PID 1988 wrote to memory of 288 1988 wscript.exe 28 PID 288 wrote to memory of 2460 288 cmd.exe 30 PID 288 wrote to memory of 2460 288 cmd.exe 30 PID 288 wrote to memory of 2460 288 cmd.exe 30 PID 288 wrote to memory of 2200 288 cmd.exe 31 PID 288 wrote to memory of 2200 288 cmd.exe 31 PID 288 wrote to memory of 2200 288 cmd.exe 31 PID 288 wrote to memory of 2344 288 cmd.exe 32 PID 288 wrote to memory of 2344 288 cmd.exe 32 PID 288 wrote to memory of 2344 288 cmd.exe 32 PID 2344 wrote to memory of 1656 2344 cmd.exe 33 PID 2344 wrote to memory of 1656 2344 cmd.exe 33 PID 2344 wrote to memory of 1656 2344 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js1⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\system32\findstr.exefindstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""3⤵PID:2460
-
-
C:\Windows\system32\certutil.execertutil -f -decode mammothsofa bulbignorant.dll3⤵PID:2200
-
-
C:\Windows\system32\cmd.execmd /c rundll32 bulbignorant.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\rundll32.exerundll32 bulbignorant.dll,x4⤵
- Loads dropped DLL
PID:1656
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5acbc87f5ccf78f85146fb26690299bd1
SHA138d3f664f1a240937147e6870c1ad1478e761e62
SHA256c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba
SHA51210f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c
-
Filesize
2.8MB
MD5f881dc8019be31fdefa607eea19c521b
SHA13f15ab42749f8bdfe1b330efa60f87dfc8b3fb0e
SHA25640d68d0aa11664fed7d0ce2ec88ad202fc8aeaed69e18f778f972dfe54428733
SHA512511c1286c282b609ad212a0b8c052a7f0670b559d75877fda38d88b77608634be522daefcb7662bec40dfce696b6696b5cad949318f81132ba3c536257c60c6e
-
Filesize
5.3MB
MD534bcdbd3855b4a4354f3cd03e608440a
SHA16a8bf0531a981e6f567782801c5cfc0ef9f01a91
SHA25614ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
SHA51255483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
Filesize
5.2MB
MD5633c0f0851caf2cc44727718ba335e68
SHA103447d779de01b237608abf5b1dc6892d36bc16c
SHA256a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9
SHA512928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c