Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 09:57

General

  • Target

    INVOICE_1877_1553532450.js

  • Size

    5.3MB

  • MD5

    34bcdbd3855b4a4354f3cd03e608440a

  • SHA1

    6a8bf0531a981e6f567782801c5cfc0ef9f01a91

  • SHA256

    14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

  • SHA512

    55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

  • SSDEEP

    24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\system32\findstr.exe
        findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
        3⤵
          PID:2460
        • C:\Windows\system32\certutil.exe
          certutil -f -decode mammothsofa bulbignorant.dll
          3⤵
            PID:2200
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 bulbignorant.dll,x
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2344
            • C:\Windows\system32\rundll32.exe
              rundll32 bulbignorant.dll,x
              4⤵
              • Loads dropped DLL
              PID:1656

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

        Filesize

        3.9MB

        MD5

        acbc87f5ccf78f85146fb26690299bd1

        SHA1

        38d3f664f1a240937147e6870c1ad1478e761e62

        SHA256

        c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba

        SHA512

        10f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c

      • C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

        Filesize

        2.8MB

        MD5

        f881dc8019be31fdefa607eea19c521b

        SHA1

        3f15ab42749f8bdfe1b330efa60f87dfc8b3fb0e

        SHA256

        40d68d0aa11664fed7d0ce2ec88ad202fc8aeaed69e18f778f972dfe54428733

        SHA512

        511c1286c282b609ad212a0b8c052a7f0670b559d75877fda38d88b77608634be522daefcb7662bec40dfce696b6696b5cad949318f81132ba3c536257c60c6e

      • C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

        Filesize

        5.3MB

        MD5

        34bcdbd3855b4a4354f3cd03e608440a

        SHA1

        6a8bf0531a981e6f567782801c5cfc0ef9f01a91

        SHA256

        14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

        SHA512

        55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

      • C:\Users\Admin\AppData\Local\Temp\mammothsofa

        Filesize

        5.2MB

        MD5

        633c0f0851caf2cc44727718ba335e68

        SHA1

        03447d779de01b237608abf5b1dc6892d36bc16c

        SHA256

        a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9

        SHA512

        928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c

      • memory/1656-8429-0x0000000000130000-0x0000000000151000-memory.dmp

        Filesize

        132KB

      • memory/1656-8428-0x000007FEF5990000-0x000007FEF5D7D000-memory.dmp

        Filesize

        3.9MB