Overview

overview

10

Static

static

1

28325142147799.js

windows7-x64

10

28325142147799.js

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28325142147799.js

  • Size

    959KB

  • MD5

    e142b6e92af05edd784ecea426ea62ae

  • SHA1

    4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e

  • SHA256

    4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322

  • SHA512

    a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3

  • SSDEEP

    12288:H2DjmKxUlG7TcTEeHeauBdjGjNzWpEq0mqRVb86XFXZZSLY72i9TMY6Sms9aFG4M:WZU67qe/p9dtkoH2

Score
10/10
strelastealer

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

    stealerstrela
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\system32\findstr.exe
        findstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""
        3⤵
          PID:3692
        • C:\Windows\system32\certutil.exe
          certutil -f -decode tinsoak heapswim.dll
          3⤵
            PID:2284
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 heapswim.dll,m
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3632
            • C:\Windows\system32\rundll32.exe
              rundll32 heapswim.dll,m
              4⤵
              • Loads dropped DLL
              PID:4548

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\heapswim.dll
        Filesize

        712KB

        MD5

        e369903ea87d49ddf23c1682a5e8d01e

        SHA1

        0b50b560770cf44c8d95286d7d67fa27871f7d1a

        SHA256

        80a58fc6fc8ce8929996f6cd56b97cb729cf8bfe2b07c02b112b6b6d96f02423

        SHA512

        359dd3a3c2341c5f0fd5c60538bf0c10f8efbf818376a2f049bc2f9f5c5fe9c9d9d2077da115e28ea9b0fa69961df68eaa667fd220402b9eb4eb679969df2a09

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\suspectfeeble.bat
        Filesize

        959KB

        MD5

        e142b6e92af05edd784ecea426ea62ae

        SHA1

        4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e

        SHA256

        4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322

        SHA512

        a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tinsoak
        Filesize

        952KB

        MD5

        9ed413fb2d65047ce18bdd9bd2d738a7

        SHA1

        dbcdb9612ac5c51f3940f0e28377e749153beb72

        SHA256

        cbb12b164a282becaae013b43a7b948bf3e9a913340cc35dd0d915720bfde909

        SHA512

        403d48fd20c2d0e807064af5acf978a7329833229700f18b7f170b313853f8a345782a2541817c945742f7752b38a848c4230298f1bf4920dfcaa859a8f4ded9

        Download Submit
      • memory/4548-1381-0x00007FFDEF0B0000-0x00007FFDEF169000-memory.dmp
        Filesize

        740KB

        Download
      • memory/4548-1382-0x00000209FFA40000-0x00000209FFA63000-memory.dmp
        Filesize

        140KB

        Download