Malware Analysis Report

2025-01-18 09:30

Sample ID 240122-lyck4aeah8
Target INVOICE_23690_262531821.js
SHA256 5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c

Threat Level: Known bad

The file INVOICE_23690_262531821.js was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 09:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 09:56

Reported

2024-01-22 09:58

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2876 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 2876 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 2876 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2876 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2876 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2876 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2876 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2876 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2876 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2876 wrote to memory of 1176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 1176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 1176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1176 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1176 wrote to memory of 620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"

C:\Windows\system32\findstr.exe

findstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""

C:\Windows\system32\rundll32.exe

rundll32 deskball.dll,x

C:\Windows\system32\cmd.exe

cmd /c rundll32 deskball.dll,x

C:\Windows\system32\certutil.exe

certutil -f -decode nimblesuccinct deskball.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat

MD5 c317a132db9207d95fc4ed3a8e07b4f7
SHA1 e9c5a9b583108e2329c402990c2be51ae958d12a
SHA256 677bc90ba5f18cafd63fb7ec01442bcf8383251fc2151b4cf237d665104a1de7
SHA512 aefa0a717399db17034a4642a01af6d7b0eb4b0e6d7ffa614e20b8cb71b335953a491eeffc1286a5967f147c6e46a4a23a8db8c6d78cc2a480dfd839815d4841

C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat

MD5 adb7a9acd1460d920f82f1fe655d5923
SHA1 75bea6c7dace173868a61a9dcfc2595178d84f2e
SHA256 b2b343aec2e01bbe24d0fe6ca4e54a6baaacaeafd22de39778d121bf835351c9
SHA512 9e867017ce702fe2cdc56243b95326e8776a85343de843da7839802b1d975c5972d9474d97a18aba344a538284b344a91bd30f9d9326d756b2c496e6e95d0de2

C:\Users\Admin\AppData\Local\Temp\nimblesuccinct

MD5 969e2b48a6a3853593147fa510dba643
SHA1 04ab161ff15bb5abc949dda8467187b314b91eb0
SHA256 075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730
SHA512 8f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b

\Users\Admin\AppData\Local\Temp\deskball.dll

MD5 8d5ab8a633b4b1614b84d6c005518676
SHA1 f503e73610ff670978fbaf3a8b4d6ef03d57f04a
SHA256 8f2a0f0030f4f26f4b707cca8a92b4b90063768cebff21226dc80ec854b70745
SHA512 5700a2a332ae55e3d4f0df13d9049edcd4fe2d8bf488146d803380e2d6a2b5ed351137258be92e80cae04625ca481c00596aa29a4c7843c70cde43a6148daeea

memory/620-10403-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/620-10402-0x000007FEF5C90000-0x000007FEF6079000-memory.dmp

memory/620-10404-0x00000000001B0000-0x00000000001D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 09:56

Reported

2024-01-22 09:58

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 2176 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 2176 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2176 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wpr.exe
PID 2176 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wpr.exe
PID 2176 wrote to memory of 3112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2176 wrote to memory of 3112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2176 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2176 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2176 wrote to memory of 4972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 4972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4972 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_23690_262531821.js" "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat" && "C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat"

C:\Windows\system32\wpr.exe

WPr /6Xld+v9Ii0VgSIuNmAIAAEiJAUiLAUgFAgAAAEiLlaACAABIiQLpKmL6/+kDZ/r/6Xto+v9Ii4VYAwAASIsISIPsIOhm/w0ASIPEIEiLjUgDAABIixFIg+wgSInB6DwOBgBIg8Qg6btr+v/pJG76/+lpcvr/SItFUEiLjaACAABIixFIg+wgSInBSItFWP/QSIPEIEiLjZACAABIiQFIiwFIi5WoAgAATIsCSYkASIuFsAIAAEyLAEmBwAgAAABMiQDpDHn6/+nAffr/6XaB+v9Ii0VISAUIAAAASIuNqAIAAEiJAekahfr/6aGL+v/pIY76/+mJkfr/6ZiV+v/p8pb6/0iLhcgCAABIi01ASIkI6ZSa+v/ptJ/6/+l8ovr/6R2n+v/pyaz6/+lUr/r/6UGz+v/p4bb6/+kSuvr/SItFMItIEInKTItFOEkB0EiLlYgCAABMiQJIg+wg/xJIg8Qg6Se/+v/p3sL6/+kNxPr/6fjH+v/pOcv6/+lozvr/6afR+v/p

C:\Windows\system32\findstr.exe

findstr /V placidcherries ""C:\Users\Admin\AppData\Local\Temp\\chivalrousmelodic.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode nimblesuccinct deskball.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 deskball.dll,x

C:\Windows\system32\rundll32.exe

rundll32 deskball.dll,x

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\chivalrousmelodic.bat

MD5 c7007617a4e91a9f1b490fbb8f0e15ab
SHA1 2ada1b92b7d98090c80c6b0f44c477feb9629e35
SHA256 5617211ce8d0e528f2925c78a778ade44a8296f10a318c03ec094d655cf2ad3c
SHA512 1c0cf31f4d9d57399565b1569acec57628893ed7861d473111d64a9b0fb5b92d13ccf23668f64ac6848f96cdbd54e2806442de6c2931297472f0f7296d3f669b

C:\Users\Admin\AppData\Local\Temp\nimblesuccinct

MD5 969e2b48a6a3853593147fa510dba643
SHA1 04ab161ff15bb5abc949dda8467187b314b91eb0
SHA256 075d46bd3d7235a73ce2d7664bb7e6c9dcb20699df45a7d0c8b19e976fca3730
SHA512 8f1615f4663036180d98b5ec4fecf6f60437689a22d25dcf775071d307af6eae94f0c634d067e5181eb4ba39e567142116bf940afa06cfccaad180a5913ab96b

C:\Users\Admin\AppData\Local\Temp\deskball.dll

MD5 6cf46ba96bb912ab5576a3de6cb3ecd2
SHA1 325d0e2e77812b7fa430d74eea5c24b43c369765
SHA256 32484fd6d10fef3068f3cbab6f8c07fe28d43cfc4f2b00bf56f4bcf558670417
SHA512 cf3d7b58b7e3c9f1eeaf65bdacacdd87de3ddb3b682496dd9d1a81c5b17efd82c142d5038edf1ab1c3d1143cfa58bc738bc0c65413bb09f227b2d633a4010527

memory/700-10399-0x000002A449510000-0x000002A449531000-memory.dmp

memory/700-10400-0x00007FFCD23C0000-0x00007FFCD27A9000-memory.dmp

memory/700-10401-0x000002A449510000-0x000002A449531000-memory.dmp