Malware Analysis Report

2025-01-18 09:30

Sample ID 240122-lyck4aeah7
Target INVOICE_1877_1553532450.js
SHA256 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

Threat Level: Known bad

The file INVOICE_1877_1553532450.js was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 09:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 09:56

Reported

2024-01-22 09:58

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

140s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2968 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1304 wrote to memory of 2968 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2968 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2968 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2968 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2968 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2968 wrote to memory of 4220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 4220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4220 wrote to memory of 3120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"

C:\Windows\system32\findstr.exe

findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode mammothsofa bulbignorant.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 bulbignorant.dll,x

C:\Windows\system32\rundll32.exe

rundll32 bulbignorant.dll,x

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 34bcdbd3855b4a4354f3cd03e608440a
SHA1 6a8bf0531a981e6f567782801c5cfc0ef9f01a91
SHA256 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
SHA512 55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

C:\Users\Admin\AppData\Local\Temp\mammothsofa

MD5 633c0f0851caf2cc44727718ba335e68
SHA1 03447d779de01b237608abf5b1dc6892d36bc16c
SHA256 a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9
SHA512 928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c

C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 acbc87f5ccf78f85146fb26690299bd1
SHA1 38d3f664f1a240937147e6870c1ad1478e761e62
SHA256 c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba
SHA512 10f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c

memory/3120-8425-0x000001BBDBF00000-0x000001BBDBF21000-memory.dmp

memory/3120-8426-0x00007FFE0A1D0000-0x00007FFE0A5BD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 09:56

Reported

2024-01-22 09:58

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2032 wrote to memory of 2184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2032 wrote to memory of 2184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2184 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2184 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2184 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2184 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2184 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2184 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 832 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 832 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"

C:\Windows\system32\findstr.exe

findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode mammothsofa bulbignorant.dll

C:\Windows\system32\rundll32.exe

rundll32 bulbignorant.dll,x

C:\Windows\system32\cmd.exe

cmd /c rundll32 bulbignorant.dll,x

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 34bcdbd3855b4a4354f3cd03e608440a
SHA1 6a8bf0531a981e6f567782801c5cfc0ef9f01a91
SHA256 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
SHA512 55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

C:\Users\Admin\AppData\Local\Temp\mammothsofa

MD5 e21b5c6bac40e2ec146ef620ad02dde8
SHA1 e94d363c8844625ed6acef47fc9ab7e7dddc7377
SHA256 87e26762e465a7fc7282dfae09242dcc75976e962970267c2f48b0a5b6b3572b
SHA512 04aad76625311d2e84c27b5767f5b4dd09f6d7c506846771cc79a11bcdd5472e1c443ea728563ae5cf38eb7ef04b1ca39e2d86254706433f698430d4c45a19ea

\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 46642952fa262ca4e0844a2fe0c54e1e
SHA1 fd4da231f254e7d6ca65fc913d719d452501e1fb
SHA256 34bfce64c2574369b55dbf7ca8752e3c471dfa47b8f0f3d56ab912d353a056f0
SHA512 5f2a38770cde7e0cec4e6185732483b9cd597eee3ecc9a1410b42f5bf551cb56d7b5afddae4873f0318bbb4f1fdc20e60a2643c20a88ae1cc30a9303feb4f751

\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 a3802219f765f8f95acf07631157bdc1
SHA1 5d403afc687c79a3e2c9599694741ebbea7b5551
SHA256 eddd400a18573d6e3aa40d74d5129bda7ab82c73a0cc990f6ec7457c7d7afb71
SHA512 b1a46696232c92fc8ecd4eb44ca89361e4ce5aa3a0f20fba2db6bf62467cc2654bbe9806f0dbcb756ab26ba7783b7404c7749cf069d96361b03863f06ef4efc9

\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 fded28bebeff090c0750343fa2520d80
SHA1 18207a4911c05227f684250d14a231a1867c1fed
SHA256 f84c433903066c233beb045fcb51900a14912e504b5f3bbb8451464b5a217edb
SHA512 88a221f7b44209bb03a13a6822350e357564d99ae49ca32c26030c5367eeab83fdb4f2ed3225d9f5098ff1c36bb5d2258c9ea6a2bece8cbd7ef2387efd2ecfde

\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 91a3388be51fcc22488e6e9f6add380d
SHA1 25e9a7f242c46ed4d11b34ec6ba516dd3fb8c12b
SHA256 11401d2b617560eb0f0ef8dc10e8227b38bb776b38e981a98c192a3df7da8eca
SHA512 8440c3889245024964ef3c2e6edacc4d5c48a73ba53364d9d437632f798c7709e62560d829daef2b193ccc87c35252e6f8073efb332b24968b02fdc0d489c334

C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 65f4beaa7dd2e5be8bd2eccb6e6cc379
SHA1 abe54331e07280aa68ba112e2e62187a59c2cda3
SHA256 342ca73c209f9d14445bd4a1b1cc64bda7abfb967d89b9ab0e44fd027e3c715a
SHA512 f1326456a5691e9d9fe6d1c41cdf1373b1f655a6ad9f6bb797b5575a2df11d36f654c4040569eef069cd5c865275f3a3492192847a6fc4481a2154e354d4c477

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 ac14b66d774f70e29cac9af53dab33c2
SHA1 ac477815ed02b141b70298814eff893d06be484c
SHA256 21c0621f937294693c563446723a7f4337f549217dd55ce69338d179af23a9c8
SHA512 f7ae2a6948c58bf56be5b927be1461bec5177bd6816920d29d95d933696640ce1939e522d43f6035dc146bddfe6294d56aaa0d9dc25b0867f8029cd50397638f

memory/1752-8429-0x0000000001AC0000-0x0000000001AE1000-memory.dmp

memory/1752-8428-0x000007FEF5AB0000-0x000007FEF5E9D000-memory.dmp