Analysis
-
max time kernel
92s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_1877_1553532450.js
Resource
win7-20231215-en
General
-
Target
INVOICE_1877_1553532450.js
-
Size
5.3MB
-
MD5
34bcdbd3855b4a4354f3cd03e608440a
-
SHA1
6a8bf0531a981e6f567782801c5cfc0ef9f01a91
-
SHA256
14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
-
SHA512
55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
SSDEEP
24576:LioNDFYpmVzSyuXqoeJxJNK2Q9bAnWdvgTABkeW+3khCxsOwy2WHM+sJE9qP4e2g:r2map+5wnVBK3UbUt
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 3120 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1304 wrote to memory of 2968 1304 wscript.exe 86 PID 1304 wrote to memory of 2968 1304 wscript.exe 86 PID 2968 wrote to memory of 892 2968 cmd.exe 97 PID 2968 wrote to memory of 892 2968 cmd.exe 97 PID 2968 wrote to memory of 1520 2968 cmd.exe 98 PID 2968 wrote to memory of 1520 2968 cmd.exe 98 PID 2968 wrote to memory of 4220 2968 cmd.exe 99 PID 2968 wrote to memory of 4220 2968 cmd.exe 99 PID 4220 wrote to memory of 3120 4220 cmd.exe 100 PID 4220 wrote to memory of 3120 4220 cmd.exe 100
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\findstr.exefindstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""3⤵PID:892
-
-
C:\Windows\system32\certutil.execertutil -f -decode mammothsofa bulbignorant.dll3⤵PID:1520
-
-
C:\Windows\system32\cmd.execmd /c rundll32 bulbignorant.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\rundll32.exerundll32 bulbignorant.dll,x4⤵
- Loads dropped DLL
PID:3120
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5acbc87f5ccf78f85146fb26690299bd1
SHA138d3f664f1a240937147e6870c1ad1478e761e62
SHA256c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba
SHA51210f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c
-
Filesize
5.3MB
MD534bcdbd3855b4a4354f3cd03e608440a
SHA16a8bf0531a981e6f567782801c5cfc0ef9f01a91
SHA25614ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
SHA51255483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7
-
Filesize
5.2MB
MD5633c0f0851caf2cc44727718ba335e68
SHA103447d779de01b237608abf5b1dc6892d36bc16c
SHA256a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9
SHA512928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c