Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_23690_262531821.js
Resource
win7-20231129-en
General
-
Target
INVOICE_23690_262531821.js
-
Size
5.3MB
-
MD5
c7007617a4e91a9f1b490fbb8f0e15ab
-
SHA1
2ada1b92b7d98090c80c6b0f44c477feb9629e35
-
SHA256
5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c
-
SHA512
1c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b
-
SSDEEP
24576:pKS6oCq9Ro7ymA2JJn22s6aE7qwdEKyn3ygDO0PodOk++pL4T03M77t/1xxXJn5i:5ncYe/Q5idwhpUbUc
Malware Config
Extracted
strela
193.109.85.77
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 700 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3920 wrote to memory of 2176 3920 wscript.exe 88 PID 3920 wrote to memory of 2176 3920 wscript.exe 88 PID 2176 wrote to memory of 1612 2176 cmd.exe 95 PID 2176 wrote to memory of 1612 2176 cmd.exe 95 PID 2176 wrote to memory of 3112 2176 cmd.exe 99 PID 2176 wrote to memory of 3112 2176 cmd.exe 99 PID 2176 wrote to memory of 2484 2176 cmd.exe 100 PID 2176 wrote to memory of 2484 2176 cmd.exe 100 PID 2176 wrote to memory of 4972 2176 cmd.exe 101 PID 2176 wrote to memory of 4972 2176 cmd.exe 101 PID 4972 wrote to memory of 700 4972 cmd.exe 102 PID 4972 wrote to memory of 700 4972 cmd.exe 102
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\wpr.exeWPr /6Xld+v9Ii0VgSIuNmAIAAEiJAUiLAUgFAgAAAEiLlaACAABIiQLpKmL6/+kDZ/r/6Xto+v9Ii4VYAwAASIsISIPsIOhm/w0ASIPEIEiLjUgDAABIixFIg+wgSInB6DwOBgBIg8Qg6btr+v/pJG76/+lpcvr/SItFUEiLjaACAABIixFIg+wgSInBSItFWP/QSIPEIEiLjZACAABIiQFIiwFIi5WoAgAATIsCSYkASIuFsAIAAEyLAEmBwAgAAABMiQDpDHn6/+nAffr/6XaB+v9Ii0VISAUIAAAASIuNqAIAAEiJAekahfr/6aGL+v/pIY76/+mJkfr/6ZiV+v/p8pb6/0iLhcgCAABIi01ASIkI6ZSa+v/ptJ/6/+l8ovr/6R2n+v/pyaz6/+lUr/r/6UGz+v/p4bb6/+kSuvr/SItFMItIEInKTItFOEkB0EiLlYgCAABMiQJIg+wg/xJIg8Qg6Se/+v/p3sL6/+kNxPr/6fjH+v/pOcv6/+lozvr/6afR+v/p3⤵PID:1612
-
-
C:\Windows\system32\findstr.exefindstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""3⤵PID:3112
-
-
C:\Windows\system32\certutil.execertutil -f -decode nimblesuccinct deskball.dll3⤵PID:2484
-
-
C:\Windows\system32\cmd.execmd /c rundll32 deskball.dll,x3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\rundll32.exerundll32 deskball.dll,x4⤵
- Loads dropped DLL
PID:700
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD5c7007617a4e91a9f1b490fbb8f0e15ab
SHA12ada1b92b7d98090c80c6b0f44c477feb9629e35
SHA2565617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c
SHA5121c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b
-
Filesize
3.9MB
MD56cf46ba96bb912ab5576a3de6cb3ecd2
SHA1325d0e2e77812b7fa430d74eea5c24b43c369765
SHA25632484fd6d10fef3068f3cbab6f8c07fe28d43cfc4f2b00bf56f4bcf558670417
SHA512cf3d7b58b7e3c9f1eeaf65bdacacdd87de3ddb3b682496dd9d1a81c5b17efd82c142d5038edf1ab1c3d1143cfa58bc738bc0c65413bb09f227b2d633a4010527
-
Filesize
5.2MB
MD5969e2b48a6a3853593147fa510dba643
SHA104ab161ff15bb5abc949dda8467187b314b91eb0
SHA256075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730
SHA5128f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b