Analysis

  • max time kernel
    136s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 12:16

General

  • Target

    22345804828167.js

  • Size

    1.2MB

  • MD5

    60e2ff683eaddef5aaddda1bd3ee7ea7

  • SHA1

    4e94ed84ea0e838ba2da2173868c5f227cea8392

  • SHA256

    4baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a

  • SHA512

    5db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564

  • SSDEEP

    24576:u+qOfAjkFZ9gwzEoCmbvD1+Crry2Q/F/XJjTETzTvBkskkZe:hfZRgBCTTrc

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\22345804828167.js" "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat" && "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\system32\findstr.exe
        findstr /V sootheflat ""C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat""
        3⤵
          PID:5064
        • C:\Windows\system32\certutil.exe
          certutil -f -decode uncoveredconfused brainyarm.dll
          3⤵
            PID:776
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 brainyarm.dll,m
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4872
      • C:\Windows\system32\rundll32.exe
        rundll32 brainyarm.dll,m
        1⤵
        • Loads dropped DLL
        PID:4416

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\brainyarm.dll

        Filesize

        886KB

        MD5

        3d97638a09af4d6690008936993ba12d

        SHA1

        cc3c922260d0dacbfda3245c8fd298695fb8c136

        SHA256

        649d05ad0a76df62028fbb776f9bbdea19e39cbe8f03d6a233f7c297565e06b1

        SHA512

        016b569fd5b3d8e1ab97fc025a3876dc6159a8e16b6b54a695f367e67b513d9060dc5e846dba4ef66b5ee33e39cdd8626e51afbf1f879569329d7ff4bcc52a18

      • C:\Users\Admin\AppData\Local\Temp\learnedscarce.bat

        Filesize

        1.2MB

        MD5

        60e2ff683eaddef5aaddda1bd3ee7ea7

        SHA1

        4e94ed84ea0e838ba2da2173868c5f227cea8392

        SHA256

        4baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a

        SHA512

        5db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564

      • C:\Users\Admin\AppData\Local\Temp\uncoveredconfused

        Filesize

        1.2MB

        MD5

        963b1b331221d562001ebc2330a2f996

        SHA1

        b2cbebc4f5512ad437622e75cb200812614134ee

        SHA256

        e5110fb49b5a087b2c8dc47f6aff7d92954023fd16a29ed3e138d1ea6714c3ea

        SHA512

        141f9db15bebe92306255dc05a1b132eedabc01c8297d86b03dcba3fd520d8464d766830f05f3f52dcc4550dbbb72b149c7e40377aac947df2bf4b1154624d42

      • memory/4416-1548-0x000002E1EFDA0000-0x000002E1EFDC3000-memory.dmp

        Filesize

        140KB

      • memory/4416-1549-0x00007FFC89590000-0x00007FFC89675000-memory.dmp

        Filesize

        916KB