Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_23690_262531821.js
Resource
win7-20231129-en
General
-
Target
INVOICE_23690_262531821.js
-
Size
5.3MB
-
MD5
c7007617a4e91a9f1b490fbb8f0e15ab
-
SHA1
2ada1b92b7d98090c80c6b0f44c477feb9629e35
-
SHA256
5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c
-
SHA512
1c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b
-
SSDEEP
24576:pKS6oCq9Ro7ymA2JJn22s6aE7qwdEKyn3ygDO0PodOk++pL4T03M77t/1xxXJn5i:5ncYe/Q5idwhpUbUc
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 620 rundll32.exe 620 rundll32.exe 620 rundll32.exe 620 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2876 2188 wscript.exe 28 PID 2188 wrote to memory of 2876 2188 wscript.exe 28 PID 2188 wrote to memory of 2876 2188 wscript.exe 28 PID 2876 wrote to memory of 696 2876 cmd.exe 30 PID 2876 wrote to memory of 696 2876 cmd.exe 30 PID 2876 wrote to memory of 696 2876 cmd.exe 30 PID 2876 wrote to memory of 1964 2876 cmd.exe 33 PID 2876 wrote to memory of 1964 2876 cmd.exe 33 PID 2876 wrote to memory of 1964 2876 cmd.exe 33 PID 2876 wrote to memory of 1176 2876 cmd.exe 32 PID 2876 wrote to memory of 1176 2876 cmd.exe 32 PID 2876 wrote to memory of 1176 2876 cmd.exe 32 PID 1176 wrote to memory of 620 1176 cmd.exe 31 PID 1176 wrote to memory of 620 1176 cmd.exe 31 PID 1176 wrote to memory of 620 1176 cmd.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\findstr.exefindstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""3⤵PID:696
-
-
C:\Windows\system32\cmd.execmd /c rundll32 deskball.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:1176
-
-
C:\Windows\system32\certutil.execertutil -f -decode nimblesuccinct deskball.dll3⤵PID:1964
-
-
-
C:\Windows\system32\rundll32.exerundll32 deskball.dll,x1⤵
- Loads dropped DLL
PID:620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5adb7a9acd1460d920f82f1fe655d5923
SHA175bea6c7dace173868a61a9dcfc2595178d84f2e
SHA256b2b343aec2e01bbe24d0fe6ca4e54a6baaacaeafd22de39778d121bf835351c9
SHA5129e867017ce702fe2cdc56243b95326e8776a85343de843da7839802b1d975c5972d9474d97a18aba344a538284b344a91bd30f9d9326d756b2c496e6e95d0de2
-
Filesize
3.0MB
MD5c317a132db9207d95fc4ed3a8e07b4f7
SHA1e9c5a9b583108e2329c402990c2be51ae958d12a
SHA256677bc90ba5f18cafd63fb7ec01442bcf8383251fc2151b4cf237d665104a1de7
SHA512aefa0a717399db17034a4642a01af6d7b0eb4b0e6d7ffa614e20b8cb71b335953a491eeffc1286a5967f147c6e46a4a23a8db8c6d78cc2a480dfd839815d4841
-
Filesize
5.2MB
MD5969e2b48a6a3853593147fa510dba643
SHA104ab161ff15bb5abc949dda8467187b314b91eb0
SHA256075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730
SHA5128f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b
-
Filesize
448KB
MD58d5ab8a633b4b1614b84d6c005518676
SHA1f503e73610ff670978fbaf3a8b4d6ef03d57f04a
SHA2568f2a0f0030f4f26f4b707cca8a92b4b90063768cebff21226dc80ec854b70745
SHA5125700a2a332ae55e3d4f0df13d9049edcd4fe2d8bf488146d803380e2d6a2b5ed351137258be92e80cae04625ca481c00596aa29a4c7843c70cde43a6148daeea