Analysis Overview
SHA256
14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
Threat Level: Known bad
The file INVOICE_1877_1553532450.js was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 09:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 09:56
Reported
2024-01-22 09:58
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
140s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
C:\Windows\system32\findstr.exe
findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode mammothsofa bulbignorant.dll
C:\Windows\system32\cmd.exe
cmd /c rundll32 bulbignorant.dll,x
C:\Windows\system32\rundll32.exe
rundll32 bulbignorant.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | 34bcdbd3855b4a4354f3cd03e608440a |
| SHA1 | 6a8bf0531a981e6f567782801c5cfc0ef9f01a91 |
| SHA256 | 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394 |
| SHA512 | 55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7 |
C:\Users\Admin\AppData\Local\Temp\mammothsofa
| MD5 | 633c0f0851caf2cc44727718ba335e68 |
| SHA1 | 03447d779de01b237608abf5b1dc6892d36bc16c |
| SHA256 | a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9 |
| SHA512 | 928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c |
C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | acbc87f5ccf78f85146fb26690299bd1 |
| SHA1 | 38d3f664f1a240937147e6870c1ad1478e761e62 |
| SHA256 | c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba |
| SHA512 | 10f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c |
memory/3120-8425-0x000001BBDBF00000-0x000001BBDBF21000-memory.dmp
memory/3120-8426-0x00007FFE0A1D0000-0x00007FFE0A5BD000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 09:56
Reported
2024-01-22 09:58
Platform
win7-20231215-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"
C:\Windows\system32\findstr.exe
findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode mammothsofa bulbignorant.dll
C:\Windows\system32\rundll32.exe
rundll32 bulbignorant.dll,x
C:\Windows\system32\cmd.exe
cmd /c rundll32 bulbignorant.dll,x
Network
Files
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | 34bcdbd3855b4a4354f3cd03e608440a |
| SHA1 | 6a8bf0531a981e6f567782801c5cfc0ef9f01a91 |
| SHA256 | 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394 |
| SHA512 | 55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7 |
C:\Users\Admin\AppData\Local\Temp\mammothsofa
| MD5 | e21b5c6bac40e2ec146ef620ad02dde8 |
| SHA1 | e94d363c8844625ed6acef47fc9ab7e7dddc7377 |
| SHA256 | 87e26762e465a7fc7282dfae09242dcc75976e962970267c2f48b0a5b6b3572b |
| SHA512 | 04aad76625311d2e84c27b5767f5b4dd09f6d7c506846771cc79a11bcdd5472e1c443ea728563ae5cf38eb7ef04b1ca39e2d86254706433f698430d4c45a19ea |
\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | 46642952fa262ca4e0844a2fe0c54e1e |
| SHA1 | fd4da231f254e7d6ca65fc913d719d452501e1fb |
| SHA256 | 34bfce64c2574369b55dbf7ca8752e3c471dfa47b8f0f3d56ab912d353a056f0 |
| SHA512 | 5f2a38770cde7e0cec4e6185732483b9cd597eee3ecc9a1410b42f5bf551cb56d7b5afddae4873f0318bbb4f1fdc20e60a2643c20a88ae1cc30a9303feb4f751 |
\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | a3802219f765f8f95acf07631157bdc1 |
| SHA1 | 5d403afc687c79a3e2c9599694741ebbea7b5551 |
| SHA256 | eddd400a18573d6e3aa40d74d5129bda7ab82c73a0cc990f6ec7457c7d7afb71 |
| SHA512 | b1a46696232c92fc8ecd4eb44ca89361e4ce5aa3a0f20fba2db6bf62467cc2654bbe9806f0dbcb756ab26ba7783b7404c7749cf069d96361b03863f06ef4efc9 |
\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | fded28bebeff090c0750343fa2520d80 |
| SHA1 | 18207a4911c05227f684250d14a231a1867c1fed |
| SHA256 | f84c433903066c233beb045fcb51900a14912e504b5f3bbb8451464b5a217edb |
| SHA512 | 88a221f7b44209bb03a13a6822350e357564d99ae49ca32c26030c5367eeab83fdb4f2ed3225d9f5098ff1c36bb5d2258c9ea6a2bece8cbd7ef2387efd2ecfde |
\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | 91a3388be51fcc22488e6e9f6add380d |
| SHA1 | 25e9a7f242c46ed4d11b34ec6ba516dd3fb8c12b |
| SHA256 | 11401d2b617560eb0f0ef8dc10e8227b38bb776b38e981a98c192a3df7da8eca |
| SHA512 | 8440c3889245024964ef3c2e6edacc4d5c48a73ba53364d9d437632f798c7709e62560d829daef2b193ccc87c35252e6f8073efb332b24968b02fdc0d489c334 |
C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll
| MD5 | 65f4beaa7dd2e5be8bd2eccb6e6cc379 |
| SHA1 | abe54331e07280aa68ba112e2e62187a59c2cda3 |
| SHA256 | 342ca73c209f9d14445bd4a1b1cc64bda7abfb967d89b9ab0e44fd027e3c715a |
| SHA512 | f1326456a5691e9d9fe6d1c41cdf1373b1f655a6ad9f6bb797b5575a2df11d36f654c4040569eef069cd5c865275f3a3492192847a6fc4481a2154e354d4c477 |
C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat
| MD5 | ac14b66d774f70e29cac9af53dab33c2 |
| SHA1 | ac477815ed02b141b70298814eff893d06be484c |
| SHA256 | 21c0621f937294693c563446723a7f4337f549217dd55ce69338d179af23a9c8 |
| SHA512 | f7ae2a6948c58bf56be5b927be1461bec5177bd6816920d29d95d933696640ce1939e522d43f6035dc146bddfe6294d56aaa0d9dc25b0867f8029cd50397638f |
memory/1752-8429-0x0000000001AC0000-0x0000000001AE1000-memory.dmp
memory/1752-8428-0x000007FEF5AB0000-0x000007FEF5E9D000-memory.dmp