Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_1877_1553532450.js
Resource
win7-20231215-en
General
-
Target
INVOICE_1877_1553532450.js
-
Size
5.3MB
-
MD5
34bcdbd3855b4a4354f3cd03e608440a
-
SHA1
6a8bf0531a981e6f567782801c5cfc0ef9f01a91
-
SHA256
14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
-
SHA512
55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
SSDEEP
24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1752 rundll32.exe 1752 rundll32.exe 1752 rundll32.exe 1752 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2184 2032 wscript.exe 28 PID 2032 wrote to memory of 2184 2032 wscript.exe 28 PID 2032 wrote to memory of 2184 2032 wscript.exe 28 PID 2184 wrote to memory of 1604 2184 cmd.exe 30 PID 2184 wrote to memory of 1604 2184 cmd.exe 30 PID 2184 wrote to memory of 1604 2184 cmd.exe 30 PID 2184 wrote to memory of 2508 2184 cmd.exe 31 PID 2184 wrote to memory of 2508 2184 cmd.exe 31 PID 2184 wrote to memory of 2508 2184 cmd.exe 31 PID 2184 wrote to memory of 832 2184 cmd.exe 33 PID 2184 wrote to memory of 832 2184 cmd.exe 33 PID 2184 wrote to memory of 832 2184 cmd.exe 33 PID 832 wrote to memory of 1752 832 cmd.exe 32 PID 832 wrote to memory of 1752 832 cmd.exe 32 PID 832 wrote to memory of 1752 832 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\findstr.exefindstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""3⤵PID:1604
-
-
C:\Windows\system32\certutil.execertutil -f -decode mammothsofa bulbignorant.dll3⤵PID:2508
-
-
C:\Windows\system32\cmd.execmd /c rundll32 bulbignorant.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:832
-
-
-
C:\Windows\system32\rundll32.exerundll32 bulbignorant.dll,x1⤵
- Loads dropped DLL
PID:1752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD565f4beaa7dd2e5be8bd2eccb6e6cc379
SHA1abe54331e07280aa68ba112e2e62187a59c2cda3
SHA256342ca73c209f9d14445bd4a1b1cc64bda7abfb967d89b9ab0e44fd027e3c715a
SHA512f1326456a5691e9d9fe6d1c41cdf1373b1f655a6ad9f6bb797b5575a2df11d36f654c4040569eef069cd5c865275f3a3492192847a6fc4481a2154e354d4c477
-
Filesize
5.3MB
MD534bcdbd3855b4a4354f3cd03e608440a
SHA16a8bf0531a981e6f567782801c5cfc0ef9f01a91
SHA25614ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
SHA51255483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
Filesize
2.9MB
MD5ac14b66d774f70e29cac9af53dab33c2
SHA1ac477815ed02b141b70298814eff893d06be484c
SHA25621c0621f937294693c563446723a7f4337f549217dd55ce69338d179af23a9c8
SHA512f7ae2a6948c58bf56be5b927be1461bec5177bd6816920d29d95d933696640ce1939e522d43f6035dc146bddfe6294d56aaa0d9dc25b0867f8029cd50397638f
-
Filesize
1.2MB
MD5e21b5c6bac40e2ec146ef620ad02dde8
SHA1e94d363c8844625ed6acef47fc9ab7e7dddc7377
SHA25687e26762e465a7fc7282dfae09242dcc75976e962970267c2f48b0a5b6b3572b
SHA51204aad76625311d2e84c27b5767f5b4dd09f6d7c506846771cc79a11bcdd5472e1c443ea728563ae5cf38eb7ef04b1ca39e2d86254706433f698430d4c45a19ea
-
Filesize
1.9MB
MD591a3388be51fcc22488e6e9f6add380d
SHA125e9a7f242c46ed4d11b34ec6ba516dd3fb8c12b
SHA25611401d2b617560eb0f0ef8dc10e8227b38bb776b38e981a98c192a3df7da8eca
SHA5128440c3889245024964ef3c2e6edacc4d5c48a73ba53364d9d437632f798c7709e62560d829daef2b193ccc87c35252e6f8073efb332b24968b02fdc0d489c334
-
Filesize
2.1MB
MD5fded28bebeff090c0750343fa2520d80
SHA118207a4911c05227f684250d14a231a1867c1fed
SHA256f84c433903066c233beb045fcb51900a14912e504b5f3bbb8451464b5a217edb
SHA51288a221f7b44209bb03a13a6822350e357564d99ae49ca32c26030c5367eeab83fdb4f2ed3225d9f5098ff1c36bb5d2258c9ea6a2bece8cbd7ef2387efd2ecfde
-
Filesize
2.4MB
MD5a3802219f765f8f95acf07631157bdc1
SHA15d403afc687c79a3e2c9599694741ebbea7b5551
SHA256eddd400a18573d6e3aa40d74d5129bda7ab82c73a0cc990f6ec7457c7d7afb71
SHA512b1a46696232c92fc8ecd4eb44ca89361e4ce5aa3a0f20fba2db6bf62467cc2654bbe9806f0dbcb756ab26ba7783b7404c7749cf069d96361b03863f06ef4efc9
-
Filesize
1.9MB
MD546642952fa262ca4e0844a2fe0c54e1e
SHA1fd4da231f254e7d6ca65fc913d719d452501e1fb
SHA25634bfce64c2574369b55dbf7ca8752e3c471dfa47b8f0f3d56ab912d353a056f0
SHA5125f2a38770cde7e0cec4e6185732483b9cd597eee3ecc9a1410b42f5bf551cb56d7b5afddae4873f0318bbb4f1fdc20e60a2643c20a88ae1cc30a9303feb4f751