Analysis

  • max time kernel
    92s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 09:56

General

  • Target

    INVOICE_1877_1553532450.js

  • Size

    5.3MB

  • MD5

    34bcdbd3855b4a4354f3cd03e608440a

  • SHA1

    6a8bf0531a981e6f567782801c5cfc0ef9f01a91

  • SHA256

    14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

  • SHA512

    55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

  • SSDEEP

    24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\system32\findstr.exe
        findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
        3⤵
          PID:892
        • C:\Windows\system32\certutil.exe
          certutil -f -decode mammothsofa bulbignorant.dll
          3⤵
            PID:1520
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 bulbignorant.dll,x
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Windows\system32\rundll32.exe
              rundll32 bulbignorant.dll,x
              4⤵
              • Loads dropped DLL
              PID:3120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

        Filesize

        3.9MB

        MD5

        acbc87f5ccf78f85146fb26690299bd1

        SHA1

        38d3f664f1a240937147e6870c1ad1478e761e62

        SHA256

        c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba

        SHA512

        10f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c

      • C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

        Filesize

        5.3MB

        MD5

        34bcdbd3855b4a4354f3cd03e608440a

        SHA1

        6a8bf0531a981e6f567782801c5cfc0ef9f01a91

        SHA256

        14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

        SHA512

        55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

      • C:\Users\Admin\AppData\Local\Temp\mammothsofa

        Filesize

        5.2MB

        MD5

        633c0f0851caf2cc44727718ba335e68

        SHA1

        03447d779de01b237608abf5b1dc6892d36bc16c

        SHA256

        a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9

        SHA512

        928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c

      • memory/3120-8425-0x000001BBDBF00000-0x000001BBDBF21000-memory.dmp

        Filesize

        132KB

      • memory/3120-8426-0x00007FFE0A1D0000-0x00007FFE0A5BD000-memory.dmp

        Filesize

        3.9MB