Analysis

  • max time kernel
    93s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 09:57

General

  • Target

    INVOICE_1877_1553532450.js

  • Size

    5.3MB

  • MD5

    34bcdbd3855b4a4354f3cd03e608440a

  • SHA1

    6a8bf0531a981e6f567782801c5cfc0ef9f01a91

  • SHA256

    14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

  • SHA512

    55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

  • SSDEEP

    24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\system32\findstr.exe
        findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
        3⤵
          PID:1388
        • C:\Windows\system32\certutil.exe
          certutil -f -decode mammothsofa bulbignorant.dll
          3⤵
            PID:1420
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 bulbignorant.dll,x
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3260
      • C:\Windows\system32\rundll32.exe
        rundll32 bulbignorant.dll,x
        1⤵
        • Loads dropped DLL
        PID:1892

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

        Filesize

        1.9MB

        MD5

        7fdbd8e5f40aa26c7408acb5135e9ba6

        SHA1

        5f930542d15501871418a366950a047be575f6c7

        SHA256

        9db302ae39116a3cc5141b2a1e3d75f504b90d1e2a534e84b7d14d8fae50ead4

        SHA512

        584fe9740fb0f6911dc1c2a163781f616546d16236520b776af31a974ded10a9b74b463130e69fa90e7b900692a7dc2b6e4b5bade84c0e14bfd3222377f2bb40

      • C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

        Filesize

        2.3MB

        MD5

        5546cd9ff3bc480656fa5a10b24b52bd

        SHA1

        31a71df7f6b3f891cc0a86b0282bf92390c99889

        SHA256

        1044e9f48523fa7656749a7495ae041b47d14f6d800048831a3a2788064e0264

        SHA512

        5bd0aa223a1714d6478e8d2b3cd9002fe4b151bba233fc07da184d7209eafc3b104dcaac833595867517a5c8cf218f1a4d90b1318631a218db620b7454d4e0e7

      • C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

        Filesize

        1.5MB

        MD5

        400cf18ddcf85d59ef822b48410c6c9b

        SHA1

        5f3ec44cccacdd894f299dd8e674d3a7fc45e5d1

        SHA256

        6bae24e1e106d6baa2c18da16514573825af6487e08283b862ae9e862b1065b8

        SHA512

        dd8f9c7da4eac3f2b47da3f97e65d3ec7c99c4471edf0fc66b3764157bee6112f27cf16cdcbb12f49f9451f9e4b6fd87252f2b213cefb95ae46eaa6888229e3f

      • C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

        Filesize

        3.1MB

        MD5

        f9104f2cf870c336d319af8c9908673f

        SHA1

        ca2fed90d1697e69b1d98b924bc3f06433de9fa2

        SHA256

        32e23b71e2083b679cda0eef6c7fad5d3be4e9c2d748fb386c9d51f22726344b

        SHA512

        526e64749cf4ea55b2a3e6239999190bd84ba34ff70ce30a0b4da8d296652d527ec562f2abb7e136d146a2a02cd6ea9d5d07d91c7e60eed07e6b1ab5f8c4ec8e

      • C:\Users\Admin\AppData\Local\Temp\mammothsofa

        Filesize

        2.2MB

        MD5

        750009d104c5ce1e8bcb00d65e266c52

        SHA1

        7ec4778f49ce97b9774930f49ad08226eee3dd3a

        SHA256

        140a48ec38493e88764cfbf194261a6d34bb84cc4ec1bb85bff13d6342513468

        SHA512

        675c98c794f1b9a10aeae876b27f68c39166f84f5c4404940d9f397ea5315708a57e65d953b9fbcf3b2074fab9b273823cb2f92cde223482d38cf46e7b771ba1

      • memory/1892-8425-0x00007FFCA0520000-0x00007FFCA090D000-memory.dmp

        Filesize

        3.9MB

      • memory/1892-8426-0x0000013908060000-0x0000013908081000-memory.dmp

        Filesize

        132KB