Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_1877_1553532450.js
Resource
win7-20231215-en
General
-
Target
INVOICE_1877_1553532450.js
-
Size
5.3MB
-
MD5
34bcdbd3855b4a4354f3cd03e608440a
-
SHA1
6a8bf0531a981e6f567782801c5cfc0ef9f01a91
-
SHA256
14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
-
SHA512
55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
SSDEEP
24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 1892 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2100 2280 wscript.exe 86 PID 2280 wrote to memory of 2100 2280 wscript.exe 86 PID 2100 wrote to memory of 1388 2100 cmd.exe 98 PID 2100 wrote to memory of 1388 2100 cmd.exe 98 PID 2100 wrote to memory of 1420 2100 cmd.exe 99 PID 2100 wrote to memory of 1420 2100 cmd.exe 99 PID 2100 wrote to memory of 3260 2100 cmd.exe 101 PID 2100 wrote to memory of 3260 2100 cmd.exe 101 PID 3260 wrote to memory of 1892 3260 cmd.exe 100 PID 3260 wrote to memory of 1892 3260 cmd.exe 100
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\findstr.exefindstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""3⤵PID:1388
-
-
C:\Windows\system32\certutil.execertutil -f -decode mammothsofa bulbignorant.dll3⤵PID:1420
-
-
C:\Windows\system32\cmd.execmd /c rundll32 bulbignorant.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:3260
-
-
-
C:\Windows\system32\rundll32.exerundll32 bulbignorant.dll,x1⤵
- Loads dropped DLL
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD57fdbd8e5f40aa26c7408acb5135e9ba6
SHA15f930542d15501871418a366950a047be575f6c7
SHA2569db302ae39116a3cc5141b2a1e3d75f504b90d1e2a534e84b7d14d8fae50ead4
SHA512584fe9740fb0f6911dc1c2a163781f616546d16236520b776af31a974ded10a9b74b463130e69fa90e7b900692a7dc2b6e4b5bade84c0e14bfd3222377f2bb40
-
Filesize
2.3MB
MD55546cd9ff3bc480656fa5a10b24b52bd
SHA131a71df7f6b3f891cc0a86b0282bf92390c99889
SHA2561044e9f48523fa7656749a7495ae041b47d14f6d800048831a3a2788064e0264
SHA5125bd0aa223a1714d6478e8d2b3cd9002fe4b151bba233fc07da184d7209eafc3b104dcaac833595867517a5c8cf218f1a4d90b1318631a218db620b7454d4e0e7
-
Filesize
1.5MB
MD5400cf18ddcf85d59ef822b48410c6c9b
SHA15f3ec44cccacdd894f299dd8e674d3a7fc45e5d1
SHA2566bae24e1e106d6baa2c18da16514573825af6487e08283b862ae9e862b1065b8
SHA512dd8f9c7da4eac3f2b47da3f97e65d3ec7c99c4471edf0fc66b3764157bee6112f27cf16cdcbb12f49f9451f9e4b6fd87252f2b213cefb95ae46eaa6888229e3f
-
Filesize
3.1MB
MD5f9104f2cf870c336d319af8c9908673f
SHA1ca2fed90d1697e69b1d98b924bc3f06433de9fa2
SHA25632e23b71e2083b679cda0eef6c7fad5d3be4e9c2d748fb386c9d51f22726344b
SHA512526e64749cf4ea55b2a3e6239999190bd84ba34ff70ce30a0b4da8d296652d527ec562f2abb7e136d146a2a02cd6ea9d5d07d91c7e60eed07e6b1ab5f8c4ec8e
-
Filesize
2.2MB
MD5750009d104c5ce1e8bcb00d65e266c52
SHA17ec4778f49ce97b9774930f49ad08226eee3dd3a
SHA256140a48ec38493e88764cfbf194261a6d34bb84cc4ec1bb85bff13d6342513468
SHA512675c98c794f1b9a10aeae876b27f68c39166f84f5c4404940d9f397ea5315708a57e65d953b9fbcf3b2074fab9b273823cb2f92cde223482d38cf46e7b771ba1