Resubmissions

27-01-2024 09:27

240127-lezxaahdd2 7

27-01-2024 09:23

240127-lcrswshch8 10

27-01-2024 07:59

240127-jvdymshgcp 7

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 09:23

General

  • Target

    64201921222189.js

  • Size

    6.4MB

  • MD5

    9ad0dc56c7f7492b4555812c774fe3d6

  • SHA1

    4b18214b4b08864f0073f56d098e2b4f0f1997ec

  • SHA256

    dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d

  • SHA512

    01195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2

  • SSDEEP

    49152:pDH/1og88w/d8Q3YOkgPJs8vU/knfBLi7kj6dXjocM:M

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\64201921222189.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\64201921222189.js" "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat" && "C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\hh.exe
        Hh /////0SLhCTAFwEAQYHw/////0UhxkQJ8YPx/0GD9f9Ei4QkwBcBAEGB8CYC/rVECelBgcgmAv61g/H/RCHBQYnoQYPw/0GB4P////+LnCTAFwEAgfP/////Id1BCehEifuD8/+B4/////+LrCTAFwEAgfX/////QSHvRAn7i6wkwBcBAIH1sgLiR4Hl4gDPg0SLtCTAFwEAQYH24gDPg0WJ90GB57IC4kdEi6QkwBcBAEGB9P////9BgeTiAM+DQYHm/////0QJ/UUJ9EQx5UWJxkEh3kEx2EUJxkSLhCTAFwEAQYHwsgLiR4nrg/P/RIu8JMAXAQBBgffyzmauRYnEQYHk8s5mrkWJ/UGB5bIC4keJ34Hn8s5mrkQh/UUJ7AnvQTH8QQnYQYPw/0GBz/LOZq5FIfhFCcRFifBBg/D/QYHg/////4u8JMAXAQCB9/////9BIf5FCfBBg/T/RInHRDHnRCHHRIuEJPwWAQBBg/D/QYHgKdR/k4ucJMAXAQCB8yn
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:600
      • C:\Windows\hh.exe
        Hh /////0SLjCTAFwEAQYHx/////0UhzkQJ8USLjCTAFwEAQYHx/////4nPRCHPg/H/geH/////Cc+D9/+LjCTAFwEAgfH/////RIuMJMAXAQBBgfGKzaJNCc9BgcmKzaJNg/f/RCHPRInZg/H/QYnxQTHJQSHxifGD8f+B4bmJFW2LrCTAFwEAgfW5iRVtIe5Fid5Bg/b/QYHmuYkVbUEh6wnxRQneRDHxRYnLQSHLQTHJRQnLidmD8f9BiflBg/H/i7QkwBcBAIH2DfwiyUQJyYHODfwiyYPx/yHxQYnZQYPx/0GB4ULKlCGLtCTAFwEAgfZCypQhIfOJ/YP1/4HlQsqUISH3QQnZCf1BMemJzoP2/0SJz4P3/4ucJMAXAQCB8xLrs5KJ9YHlEuuzkiHZQYn+QYHmEuuzkkEh2QnNRQnORDH1Cf6D9v+ByxLrs5Ih3gn1RInZg/H/geH/////RIuMJMAXAQBBgfH/////RIneRCHOCfGD8f+B8R5gZpeB4R5gZpd
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1564
      • C:\Windows\hh.exe
        Hh /////0SLhCSQ3QAAQYHw/////0SLtCRIwgAARSHGRAnxQYP1/0GJyEUx6EEhyInpg/H/geF5UIAvRIu0JJDdAABBgfZ5UIAvQYnsRSH0RIusJJDdAABBgfX/////QYHleVCAL0GB5v////9ECeFFCfVEMemD8f+B8ec6f+qB4ec6f+pEi7QkkN0AAEGB9uc6f+pBgeb/////RIukJJDdAABBgfT/////QYHk5zp/6kUJ5oP1/0WJ9EGD9P9Ei6wkkN0AAEGB9YcUyMNECeVBgc2HFMjDg/X/RCHtQYn0QYP0/0GB5BGBP/VEi6wkkN0AAEGB9RGBP/VBifJFIeqJjCREwgAAi4wkkN0AAIHx/////4HhEYE/9UGB5f////9FCdRECelBMcxBg/T/i4wkkN0AAIHx5zp/6kSLlCSQ3QAAQYHyFATckUEJzEGByhQE3JFBg/T/RSHUg/b/QYP2/4uMJJDdAACB8V+qNLFECfaByV+qNLGD9v8hzouMJETCAACD8f9
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2444
      • C:\Windows\hh.exe
        Hh /////0wJ8E0Jykwx0EmB9P////9INf////9JuPQG2zsj3lHVTIuMJNCtAABNMcFJCcRNCcFJgfT/////TSHMSInISDX/////TYngSYHw/////0m5J2yymf1tFFNMi5Qk0K0AAE0xykiJw0why0wh0U2Jxk0hzk0h1EgJy00J5kwx80wJwEg1/////00Jykwh0EgJw0iJ8Eg1/////0i5L3D5LXLDYQBIIchMi4Qk0K0AAEkxyEmJ8U0hwUyLlCTQrQAASYHy/////0khykmB4P////9MCchNCcJMMdBINf////9IubQ8Vgql6K3TSDHISCHITIuEJNCtAABJMchJub/TSse3cXqsTSHITIuUJNCtAABNMcpNidZJIc5Mi7wk0K0AAEmB9/////9NIc9JgeL/////TQnwTQnXTTH4SYnxSYHx/////02JwkmB8v////9JvsAGDgjDusLkTIu8JNCtAABNMfdNCdFNCfdJgfH/////TSH5TIuUJNCtAABJgfL////
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2096
      • C:\Windows\system32\findstr.exe
        findstr /V pokeskip ""C:\Users\Admin\AppData\Local\Temp\\geeserecord.bat""
        3⤵
          PID:2960
        • C:\Windows\system32\certutil.exe
          certutil -f -decode merezephyr seemlyvegetable.dll
          3⤵
            PID:1716
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 seemlyvegetable.dll,m
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\system32\rundll32.exe
              rundll32 seemlyvegetable.dll,m
              4⤵
              • Loads dropped DLL
              PID:2972
      • C:\Windows\System32\Notepad.exe
        "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\StopProtect.vbe
        1⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:1904
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\StopProtect.vbe"
        1⤵
          PID:700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\errorPageStrings[2]

          Filesize

          2KB

          MD5

          e3e4a98353f119b80b323302f26b78fa

          SHA1

          20ee35a370cdd3a8a7d04b506410300fd0a6a864

          SHA256

          9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

          SHA512

          d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\httpErrorPagesScripts[1]

          Filesize

          8KB

          MD5

          3f57b781cb3ef114dd0b665151571b7b

          SHA1

          ce6a63f996df3a1cccb81720e21204b825e0238c

          SHA256

          46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

          SHA512

          8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

        • C:\Users\Admin\AppData\Local\Temp\geeserecord.bat

          Filesize

          6.4MB

          MD5

          9ad0dc56c7f7492b4555812c774fe3d6

          SHA1

          4b18214b4b08864f0073f56d098e2b4f0f1997ec

          SHA256

          dbd9dcd47010476f23da069f9d2c41c9f20b08bf3eb506c5c8bdb6dfa6811c4d

          SHA512

          01195cd51e6e47026d12b1c07c235704abe3e953e518ae14d0bcde6ee724667d318420d5e1b4e0784fcd52a388fd44046a44eacca017cd7e2da7e15d561707d2

        • C:\Users\Admin\AppData\Local\Temp\merezephyr

          Filesize

          4.1MB

          MD5

          a0c8c19362df1bd5d90bb4b055935992

          SHA1

          a5f6aafa96b5c0dd85d9f6ed8c2192febdee1b71

          SHA256

          0f03c75d4e91d78c504977856a8f6320e1742e52aaf83967a9bc6193218c408b

          SHA512

          61e87193de5613990ebb87a2e76b10149bccfe9055cc71cd13b9f8c70822bea09be011a5d1a22cc5b08ad26aa32beb3433f1fe34c6224dbce1af252e33003878

        • C:\Users\Admin\AppData\Local\Temp\seemlyvegetable.dll

          Filesize

          4.3MB

          MD5

          ea54ab5eea76e4481dda3ccb96c1afbf

          SHA1

          403fba15b57edd61049d58dd2ce834c758663169

          SHA256

          1941291021f094ca1bf945637320c446d4fd2a80db9a44f127528ad521163e8d

          SHA512

          19e4af52104639212ece742304005734a5d2be5a5204217b8464a4d3b9bc1222febf093b5425cf10c9be0d05458257ee3b9c5a16caa1a0e0812d34d080087a35

        • \Users\Admin\AppData\Local\Temp\seemlyvegetable.dll

          Filesize

          4.8MB

          MD5

          ee0c3b7659ffba9c02a7d05dd53f1215

          SHA1

          7105afbf492cf6fffcd18bec16b59f2f3e24d260

          SHA256

          142994f123a1238d2387d00a58b709b2a07429cf1d024f65f97279afa01dfc74

          SHA512

          57f6d26b226f99d459e1de57ea7c72480cd316267095c615e564db190a053daa82338bf66ffdbd463d5e39ef2057667d2f23bc42ee5a4abe7bcc0679bbfeb319

        • memory/600-186-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

          Filesize

          64KB

        • memory/1564-2626-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

          Filesize

          64KB

        • memory/2096-8660-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

          Filesize

          64KB

        • memory/2972-12889-0x0000000001BE0000-0x0000000001C03000-memory.dmp

          Filesize

          140KB

        • memory/2972-12888-0x000007FEF59F0000-0x000007FEF5EB8000-memory.dmp

          Filesize

          4.8MB