Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2024 15:43

General

  • Target

    28836_2593959416481.js

  • Size

    1.4MB

  • MD5

    6a6c6d9614e572fedbfb8d2eb108bb42

  • SHA1

    347b37c4eb1c9d6f6d18d7ec13291436b43bab79

  • SHA256

    23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b

  • SHA512

    e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499

  • SSDEEP

    24576:68+ynjkFpqZ5YszaGTWeo2a2QQrcuCUw2eQBJeOsvWthPVtd9qu2X+DlvCu0903s:aN

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28836_2593959416481.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\findstr.exe
        findstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""
        3⤵
          PID:2196
        • C:\Windows\system32\rundll32.exe
          rundll32 gatewoman.dll,main
          3⤵
          • Loads dropped DLL
          PID:3732
        • C:\Windows\system32\certutil.exe
          certutil -f -decode shakyinconclusive gatewoman.dll
          3⤵
            PID:2752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\gatewoman.dll

        Filesize

        1.0MB

        MD5

        d5f35509799fe456a67d41558f1b0f80

        SHA1

        c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c

        SHA256

        ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e

        SHA512

        a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48

      • C:\Users\Admin\pleasantobject.bat

        Filesize

        1.4MB

        MD5

        6a6c6d9614e572fedbfb8d2eb108bb42

        SHA1

        347b37c4eb1c9d6f6d18d7ec13291436b43bab79

        SHA256

        23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b

        SHA512

        e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499

      • C:\Users\Admin\shakyinconclusive

        Filesize

        1.4MB

        MD5

        6423b4a456dc34d7c6f67740aaa371fa

        SHA1

        d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5

        SHA256

        25abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4

        SHA512

        31c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181

      • memory/3732-1416-0x000001B5A4A80000-0x000001B5A4AA3000-memory.dmp

        Filesize

        140KB

      • memory/3732-1415-0x00007FF87D500000-0x00007FF87D60E000-memory.dmp

        Filesize

        1.1MB