Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 11:05

General

  • Target

    147981734725653.js

  • Size

    1.1MB

  • MD5

    f0aa642d6a0e4a0021bb5a006da8f659

  • SHA1

    6da83194b6e3acb7fa7537b179b96c0a21654983

  • SHA256

    7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42

  • SHA512

    bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e

  • SSDEEP

    12288:3lyp9BJQJzEk/e0clTeD1FUEnYC1b3XC4Ksl8iUVfloiMKQsKJlmgAzE27UKEZtl:olcDR666E/NSnGQbR3xGJZ3

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\147981734725653.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\147981734725653.js" "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat" && "C:\Users\Admin\AppData\Local\Temp\\killwindow.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NUL
        3⤵
        • Modifies registry class
        PID:2124
      • C:\Windows\system32\findstr.exe
        findstr /V stickykick ""C:\Users\Admin\AppData\Local\Temp\\killwindow.bat""
        3⤵
          PID:2304
        • C:\Windows\system32\certutil.exe
          certutil -f -decode economicknife playgroundstructure.dll
          3⤵
            PID:2296
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 playgroundstructure.dll,m
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2060
      • C:\Windows\system32\rundll32.exe
        rundll32 playgroundstructure.dll,m
        1⤵
        • Loads dropped DLL
        PID:2504

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\economicknife

        Filesize

        1.1MB

        MD5

        b1eb68af4adfd3c1b2c9bebc96f7476f

        SHA1

        c0b9a3b8b98a07884d6a200c9f1f4789584efffe

        SHA256

        8ef40cddfde7f269cee9d4167f78540c74a5176c11a875d3e139b39d784616d2

        SHA512

        5e9860af3ac660b24a41bbffd3b4b1b6fad213cc22efe7eeb103384e1b237e21f610cec63743f5329a9ad0c4b0452e5bb9eb56ca70a10b7b23240de5f2696bba

      • C:\Users\Admin\AppData\Local\Temp\killwindow.bat

        Filesize

        1.1MB

        MD5

        f0aa642d6a0e4a0021bb5a006da8f659

        SHA1

        6da83194b6e3acb7fa7537b179b96c0a21654983

        SHA256

        7b513b60bf0c42e4dea6b545591088954a1ed63348d085cbeee97c03ef163a42

        SHA512

        bd023360956eec5c06bd322d52d3881072955f6b22b9e99cdaf4f2a3f726d23e8bab0f3ab85d2bfaafbbfa5c696683026dbd50c7a5849e8aee893083662ae41e

      • C:\Users\Admin\AppData\Local\Temp\playgroundstructure.dll

        Filesize

        805KB

        MD5

        6a1f4bd07b38e35b007978bb130742b5

        SHA1

        fa396ca0dcc3738555f07c6ffbcbbd48ab67de92

        SHA256

        cce183b5df0c236e4d89fb64d34c35909b7fc04c54b3447340b2c44dd7030593

        SHA512

        e9dab28fb33f2cec7dec5332236a55554d5ba6e8eaea92cd7e6b0c47dbce8b08c7b45e4c11abd017f4cddd7930ee7214abefeccecba68362157f24710906b657

      • memory/2504-1789-0x00000000002A0000-0x00000000002C3000-memory.dmp

        Filesize

        140KB

      • memory/2504-1788-0x000007FEF70E0000-0x000007FEF71B1000-memory.dmp

        Filesize

        836KB