Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 09:56

General

  • Target

    INVOICE_23690_262531821.js

  • Size

    5.3MB

  • MD5

    c7007617a4e91a9f1b490fbb8f0e15ab

  • SHA1

    2ada1b92b7d98090c80c6b0f44c477feb9629e35

  • SHA256

    5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c

  • SHA512

    1c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b

  • SSDEEP

    24576:pKS6oCq9Ro7ymA2JJn22s6aE7qwdEKyn3ygDO0PodOk++pL4T03M77t/1xxXJn5i:5ncYe/Q5idwhpUbUc

Score
10/10

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\system32\wpr.exe
        WPr /6Xld+v9Ii0VgSIuNmAIAAEiJAUiLAUgFAgAAAEiLlaACAABIiQLpKmL6/+kDZ/r/6Xto+v9Ii4VYAwAASIsISIPsIOhm/w0ASIPEIEiLjUgDAABIixFIg+wgSInB6DwOBgBIg8Qg6btr+v/pJG76/+lpcvr/SItFUEiLjaACAABIixFIg+wgSInBSItFWP/QSIPEIEiLjZACAABIiQFIiwFIi5WoAgAATIsCSYkASIuFsAIAAEyLAEmBwAgAAABMiQDpDHn6/+nAffr/6XaB+v9Ii0VISAUIAAAASIuNqAIAAEiJAekahfr/6aGL+v/pIY76/+mJkfr/6ZiV+v/p8pb6/0iLhcgCAABIi01ASIkI6ZSa+v/ptJ/6/+l8ovr/6R2n+v/pyaz6/+lUr/r/6UGz+v/p4bb6/+kSuvr/SItFMItIEInKTItFOEkB0EiLlYgCAABMiQJIg+wg/xJIg8Qg6Se/+v/p3sL6/+kNxPr/6fjH+v/pOcv6/+lozvr/6afR+v/p
        3⤵
          PID:1612
        • C:\Windows\system32\findstr.exe
          findstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""
          3⤵
            PID:3112
          • C:\Windows\system32\certutil.exe
            certutil -f -decode nimblesuccinct deskball.dll
            3⤵
              PID:2484
            • C:\Windows\system32\cmd.exe
              cmd /c rundll32 deskball.dll,x
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4972
              • C:\Windows\system32\rundll32.exe
                rundll32 deskball.dll,x
                4⤵
                • Loads dropped DLL
                PID:700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat

          Filesize

          5.3MB

          MD5

          c7007617a4e91a9f1b490fbb8f0e15ab

          SHA1

          2ada1b92b7d98090c80c6b0f44c477feb9629e35

          SHA256

          5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c

          SHA512

          1c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b

        • C:\Users\Admin\AppData\Local\Temp\deskball.dll

          Filesize

          3.9MB

          MD5

          6cf46ba96bb912ab5576a3de6cb3ecd2

          SHA1

          325d0e2e77812b7fa430d74eea5c24b43c369765

          SHA256

          32484fd6d10fef3068f3cbab6f8c07fe28d43cfc4f2b00bf56f4bcf558670417

          SHA512

          cf3d7b58b7e3c9f1eeaf65bdacacdd87de3ddb3b682496dd9d1a81c5b17efd82c142d5038edf1ab1c3d1143cfa58bc738bc0c65413bb09f227b2d633a4010527

        • C:\Users\Admin\AppData\Local\Temp\nimblesuccinct

          Filesize

          5.2MB

          MD5

          969e2b48a6a3853593147fa510dba643

          SHA1

          04ab161ff15bb5abc949dda8467187b314b91eb0

          SHA256

          075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730

          SHA512

          8f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b

        • memory/700-10399-0x000002A449510000-0x000002A449531000-memory.dmp

          Filesize

          132KB

        • memory/700-10400-0x00007FFCD23C0000-0x00007FFCD27A9000-memory.dmp

          Filesize

          3.9MB

        • memory/700-10401-0x000002A449510000-0x000002A449531000-memory.dmp

          Filesize

          132KB