Analysis Overview
SHA256
14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
Threat Level: Known bad
The file INVOICE_1877_1553532450.js was found to be: Known bad.
Malicious Activity Summary
Strela
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 09:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 09:57
Reported
2024-01-22 09:59
Platform
win7-20231215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
C:\Windows\system32\findstr.exe
findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode mammothsofa bulbignorant.dll
C:\Windows\system32\cmd.exe
cmd /c rundll32 bulbignorant.dll,x
C:\Windows\system32\rundll32.exe
rundll32 bulbignorant.dll,x
Network
Files
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | f881dc8019be31fdefa607eea19c521b |
| SHA1 | 3f15ab42749f8bdfe1b330efa60f87dfc8b3fb0e |
| SHA256 | 40d68d0aa11664fed7d0ce2ec88ad202fc8aeaed69e18f778f972dfe54428733 |
| SHA512 | 511c1286c282b609ad212a0b8c052a7f0670b559d75877fda38d88b77608634be522daefcb7662bec40dfce696b6696b5cad949318f81132ba3c536257c60c6e |
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | 34bcdbd3855b4a4354f3cd03e608440a |
| SHA1 | 6a8bf0531a981e6f567782801c5cfc0ef9f01a91 |
| SHA256 | 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394 |
| SHA512 | 55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7 |
C:\Users\Admin\AppData\Local\Temp\mammothsofa
| MD5 | 633c0f0851caf2cc44727718ba335e68 |
| SHA1 | 03447d779de01b237608abf5b1dc6892d36bc16c |
| SHA256 | a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9 |
| SHA512 | 928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c |
C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | acbc87f5ccf78f85146fb26690299bd1 |
| SHA1 | 38d3f664f1a240937147e6870c1ad1478e761e62 |
| SHA256 | c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba |
| SHA512 | 10f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c |
memory/1656-8429-0x0000000000130000-0x0000000000151000-memory.dmp
memory/1656-8428-0x000007FEF5990000-0x000007FEF5D7D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 09:57
Reported
2024-01-22 09:59
Platform
win10v2004-20231222-en
Max time kernel
93s
Max time network
148s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
C:\Windows\system32\findstr.exe
findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode mammothsofa bulbignorant.dll
C:\Windows\system32\rundll32.exe
rundll32 bulbignorant.dll,x
C:\Windows\system32\cmd.exe
cmd /c rundll32 bulbignorant.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | 400cf18ddcf85d59ef822b48410c6c9b |
| SHA1 | 5f3ec44cccacdd894f299dd8e674d3a7fc45e5d1 |
| SHA256 | 6bae24e1e106d6baa2c18da16514573825af6487e08283b862ae9e862b1065b8 |
| SHA512 | dd8f9c7da4eac3f2b47da3f97e65d3ec7c99c4471edf0fc66b3764157bee6112f27cf16cdcbb12f49f9451f9e4b6fd87252f2b213cefb95ae46eaa6888229e3f |
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | f9104f2cf870c336d319af8c9908673f |
| SHA1 | ca2fed90d1697e69b1d98b924bc3f06433de9fa2 |
| SHA256 | 32e23b71e2083b679cda0eef6c7fad5d3be4e9c2d748fb386c9d51f22726344b |
| SHA512 | 526e64749cf4ea55b2a3e6239999190bd84ba34ff70ce30a0b4da8d296652d527ec562f2abb7e136d146a2a02cd6ea9d5d07d91c7e60eed07e6b1ab5f8c4ec8e |
C:\Users\Admin\AppData\Local\Temp\mammothsofa
| MD5 | 750009d104c5ce1e8bcb00d65e266c52 |
| SHA1 | 7ec4778f49ce97b9774930f49ad08226eee3dd3a |
| SHA256 | 140a48ec38493e88764cfbf194261a6d34bb84cc4ec1bb85bff13d6342513468 |
| SHA512 | 675c98c794f1b9a10aeae876b27f68c39166f84f5c4404940d9f397ea5315708a57e65d953b9fbcf3b2074fab9b273823cb2f92cde223482d38cf46e7b771ba1 |
C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | 7fdbd8e5f40aa26c7408acb5135e9ba6 |
| SHA1 | 5f930542d15501871418a366950a047be575f6c7 |
| SHA256 | 9db302ae39116a3cc5141b2a1e3d75f504b90d1e2a534e84b7d14d8fae50ead4 |
| SHA512 | 584fe9740fb0f6911dc1c2a163781f616546d16236520b776af31a974ded10a9b74b463130e69fa90e7b900692a7dc2b6e4b5bade84c0e14bfd3222377f2bb40 |
C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | 5546cd9ff3bc480656fa5a10b24b52bd |
| SHA1 | 31a71df7f6b3f891cc0a86b0282bf92390c99889 |
| SHA256 | 1044e9f48523fa7656749a7495ae041b47d14f6d800048831a3a2788064e0264 |
| SHA512 | 5bd0aa223a1714d6478e8d2b3cd9002fe4b151bba233fc07da184d7209eafc3b104dcaac833595867517a5c8cf218f1a4d90b1318631a218db620b7454d4e0e7 |
memory/1892-8425-0x00007FFCA0520000-0x00007FFCA090D000-memory.dmp
memory/1892-8426-0x0000013908060000-0x0000013908081000-memory.dmp