Analysis Overview
SHA256
5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c
Threat Level: Known bad
The file INVOICE_23690_262531821.js was found to be: Known bad.
Malicious Activity Summary
Strela
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 09:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 09:56
Reported
2024-01-22 09:58
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Strela
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"
C:\Windows\system32\findstr.exe
findstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""
C:\Windows\system32\rundll32.exe
rundll32 deskball.dll,x
C:\Windows\system32\cmd.exe
cmd /c rundll32 deskball.dll,x
C:\Windows\system32\certutil.exe
certutil -f -decode nimblesuccinct deskball.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat
| MD5 | c317a132db9207d95fc4ed3a8e07b4f7 |
| SHA1 | e9c5a9b583108e2329c402990c2be51ae958d12a |
| SHA256 | 677bc90ba5f18cafd63fb7ec01442bcf8383251fc2151b4cf237d665104a1de7 |
| SHA512 | aefa0a717399db17034a4642a01af6d7b0eb4b0e6d7ffa614e20b8cb71b335953a491eeffc1286a5967f147c6e46a4a23a8db8c6d78cc2a480dfd839815d4841 |
C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat
| MD5 | adb7a9acd1460d920f82f1fe655d5923 |
| SHA1 | 75bea6c7dace173868a61a9dcfc2595178d84f2e |
| SHA256 | b2b343aec2e01bbe24d0fe6ca4e54a6baaacaeafd22de39778d121bf835351c9 |
| SHA512 | 9e867017ce702fe2cdc56243b95326e8776a85343de843da7839802b1d975c5972d9474d97a18aba344a538284b344a91bd30f9d9326d756b2c496e6e95d0de2 |
C:\Users\Admin\AppData\Local\Temp\nimblesuccinct
| MD5 | 969e2b48a6a3853593147fa510dba643 |
| SHA1 | 04ab161ff15bb5abc949dda8467187b314b91eb0 |
| SHA256 | 075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730 |
| SHA512 | 8f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b |
\Users\Admin\AppData\Local\Temp\deskball.dll
| MD5 | 8d5ab8a633b4b1614b84d6c005518676 |
| SHA1 | f503e73610ff670978fbaf3a8b4d6ef03d57f04a |
| SHA256 | 8f2a0f0030f4f26f4b707cca8a92b4b90063768cebff21226dc80ec854b70745 |
| SHA512 | 5700a2a332ae55e3d4f0df13d9049edcd4fe2d8bf488146d803380e2d6a2b5ed351137258be92e80cae04625ca481c00596aa29a4c7843c70cde43a6148daeea |
memory/620-10403-0x00000000001B0000-0x00000000001D1000-memory.dmp
memory/620-10402-0x000007FEF5C90000-0x000007FEF6079000-memory.dmp
memory/620-10404-0x00000000001B0000-0x00000000001D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 09:56
Reported
2024-01-22 09:58
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Strela
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"
C:\Windows\system32\wpr.exe
WPr /6Xld+v9Ii0VgSIuNmAIAAEiJAUiLAUgFAgAAAEiLlaACAABIiQLpKmL6/+kDZ/r/6Xto+v9Ii4VYAwAASIsISIPsIOhm/w0ASIPEIEiLjUgDAABIixFIg+wgSInB6DwOBgBIg8Qg6btr+v/pJG76/+lpcvr/SItFUEiLjaACAABIixFIg+wgSInBSItFWP/QSIPEIEiLjZACAABIiQFIiwFIi5WoAgAATIsCSYkASIuFsAIAAEyLAEmBwAgAAABMiQDpDHn6/+nAffr/6XaB+v9Ii0VISAUIAAAASIuNqAIAAEiJAekahfr/6aGL+v/pIY76/+mJkfr/6ZiV+v/p8pb6/0iLhcgCAABIi01ASIkI6ZSa+v/ptJ/6/+l8ovr/6R2n+v/pyaz6/+lUr/r/6UGz+v/p4bb6/+kSuvr/SItFMItIEInKTItFOEkB0EiLlYgCAABMiQJIg+wg/xJIg8Qg6Se/+v/p3sL6/+kNxPr/6fjH+v/pOcv6/+lozvr/6afR+v/p
C:\Windows\system32\findstr.exe
findstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""
C:\Windows\system32\certutil.exe
certutil -f -decode nimblesuccinct deskball.dll
C:\Windows\system32\cmd.exe
cmd /c rundll32 deskball.dll,x
C:\Windows\system32\rundll32.exe
rundll32 deskball.dll,x
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat
| MD5 | c7007617a4e91a9f1b490fbb8f0e15ab |
| SHA1 | 2ada1b92b7d98090c80c6b0f44c477feb9629e35 |
| SHA256 | 5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c |
| SHA512 | 1c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b |
C:\Users\Admin\AppData\Local\Temp\nimblesuccinct
| MD5 | 969e2b48a6a3853593147fa510dba643 |
| SHA1 | 04ab161ff15bb5abc949dda8467187b314b91eb0 |
| SHA256 | 075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730 |
| SHA512 | 8f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b |
C:\Users\Admin\AppData\Local\Temp\deskball.dll
| MD5 | 6cf46ba96bb912ab5576a3de6cb3ecd2 |
| SHA1 | 325d0e2e77812b7fa430d74eea5c24b43c369765 |
| SHA256 | 32484fd6d10fef3068f3cbab6f8c07fe28d43cfc4f2b00bf56f4bcf558670417 |
| SHA512 | cf3d7b58b7e3c9f1eeaf65bdacacdd87de3ddb3b682496dd9d1a81c5b17efd82c142d5038edf1ab1c3d1143cfa58bc738bc0c65413bb09f227b2d633a4010527 |
memory/700-10399-0x000002A449510000-0x000002A449531000-memory.dmp
memory/700-10400-0x00007FFCD23C0000-0x00007FFCD27A9000-memory.dmp
memory/700-10401-0x000002A449510000-0x000002A449531000-memory.dmp