Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 13:53

General

  • Target

    18491242336191.js

  • Size

    353KB

  • MD5

    00a488ef84d5c94fcc82506405c1fb20

  • SHA1

    660c34be4fc2cfad57705d5a607bedfdf5597e7d

  • SHA256

    9b24c97d6400214ccfdf2ef5bdc89de58bbe54745b7caa03d0ca0f7861c985e1

  • SHA512

    8f9370c6f35c7baaca1e8390843cceaf9a775f799cd44736072b78532a11df239cc64cde336bb033399d37e2f8e4d7aa7f82e21226b2f6b33fb2246db48e6484

  • SSDEEP

    6144:GNP/Va6wVPV7GUIxX1uUcaDG1xo2p/Ws8LPF5Nevr:GNnVaTVPV7GUa1/cQG1x5p/zeevr

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\18491242336191.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18491242336191.js" "C:\Users\Admin\AppData\Local\Temp\\belllegal.bat" && "C:\Users\Admin\AppData\Local\Temp\\belllegal.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\system32\findstr.exe
        findstr /V carriagerun ""C:\Users\Admin\AppData\Local\Temp\\belllegal.bat""
        3⤵
          PID:2632
        • C:\Windows\system32\certutil.exe
          certutil -f -decode timepolish jealousland.dll
          3⤵
            PID:2212
          • C:\Windows\system32\cmd.exe
            cmd /c rundll32 jealousland.dll,m
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\system32\rundll32.exe
              rundll32 jealousland.dll,m
              4⤵
              • Loads dropped DLL
              PID:3028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\belllegal.bat

        Filesize

        353KB

        MD5

        00a488ef84d5c94fcc82506405c1fb20

        SHA1

        660c34be4fc2cfad57705d5a607bedfdf5597e7d

        SHA256

        9b24c97d6400214ccfdf2ef5bdc89de58bbe54745b7caa03d0ca0f7861c985e1

        SHA512

        8f9370c6f35c7baaca1e8390843cceaf9a775f799cd44736072b78532a11df239cc64cde336bb033399d37e2f8e4d7aa7f82e21226b2f6b33fb2246db48e6484

      • C:\Users\Admin\AppData\Local\Temp\jealousland.dll

        Filesize

        258KB

        MD5

        363e3e964b6d304e8110b1a2eb61fdc5

        SHA1

        b449942d73eceafc430a95e8095759a74db6837c

        SHA256

        2bf87306136fb02e8ed7770bcee23d77dad2ab45fbe70d24f226afc1e236e01f

        SHA512

        4fed29c1e7bc7f604515b6439e77475ea4f85771ba0d28397f40a3a9866aa881b0c6b9bc524115fa6f213ddd650ff886b43fa620aa4f1269314d6dd20670b505

      • C:\Users\Admin\AppData\Local\Temp\timepolish

        Filesize

        346KB

        MD5

        5b1835d9b309c246b6e269a3143653c3

        SHA1

        0a872a6f63eb8e100979821bade186f5d73d6dbe

        SHA256

        f0b862a5c62cc552e14a345efbf0816e37078f312bd46c3663a4be9fd911a893

        SHA512

        78228fc71a8152f1c3ee157db379033211eb63857a0520755505f2b1f0f5c0ab952ff536d96b85b1ef2f6c7ecc56d742f19888c2039212fb947890a1bbdc8360

      • memory/3028-462-0x0000000000100000-0x0000000000123000-memory.dmp

        Filesize

        140KB

      • memory/3028-461-0x000007FEF7F20000-0x000007FEF7F68000-memory.dmp

        Filesize

        288KB