Analysis

  • max time kernel
    1164s
  • max time network
    1169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 13:57

General

  • Target

    samples.zip

  • Size

    638KB

  • MD5

    f9b1b162ec801ce4315ae13425a3de89

  • SHA1

    c9bde0245dcbc93d3336357c123dca6da855ebe1

  • SHA256

    bcb6561a9a8fbaaad702961e156a80c77d3e7f317178bf3f4ab04086bcd526ab

  • SHA512

    aa1e1f01e32bb12167847bf01fbc467565e9b307598d3d46773b6c892bfe0f2cc9dc2419cb1421e7679a4d0a26f3985bcb4bfeaff33ac1cd178e6515ad463277

  • SSDEEP

    12288:UHB425PMKYduuooYk2DYv7yK97DyzT8uF+1XIwMq0AwJiDX/J0JVwtMR4n54X6:UHBN53ruo62ETy67DyzT891XQAairsVy

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\samples.zip
    1⤵
      PID:1208
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4228
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\samples\" -spe -an -ai#7zMap4734:94:7zEvent10073
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1680
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\system32\findstr.exe
            findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""
            3⤵
              PID:1400
            • C:\Windows\system32\certutil.exe
              certutil -f -decode licenseanxious alivebooks.dll
              3⤵
                PID:4948
              • C:\Windows\system32\rundll32.exe
                rundll32 alivebooks.dll,main
                3⤵
                • Loads dropped DLL
                PID:1784
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4872
              • C:\Windows\system32\findstr.exe
                findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""
                3⤵
                  PID:396
                • C:\Windows\system32\certutil.exe
                  certutil -f -decode licenseanxious alivebooks.dll
                  3⤵
                    PID:468
                  • C:\Windows\system32\rundll32.exe
                    rundll32 alivebooks.dll,main
                    3⤵
                    • Loads dropped DLL
                    PID:3660
              • C:\Windows\System32\Notepad.exe
                "C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js
                1⤵
                • Opens file in notepad (likely ransom note)
                PID:1328

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js

                Filesize

                1.8MB

                MD5

                97ef45c0303878a80b44a236e27fd30b

                SHA1

                14cdc83dae55ad1e6d9d5f01c7bd431db1b1654f

                SHA256

                3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3

                SHA512

                1f8bee9f9922b89eef565465fba7a70d45babed06a59c9e72730672bfe2f3c6e542ecb43336121e00a2bcf5b345547b61615d1c6a7b6f6753b153f914bac96ee

              • C:\Users\Admin\alivebooks.dll

                Filesize

                1.3MB

                MD5

                50e82a0939f2e5e07db2883b6d8f0f57

                SHA1

                f9455b140bd8577d852927905ab3b432b0047b02

                SHA256

                0cc102da3a0f71e77164ac351b19796dad1affa0a3283753f46708ee921d762c

                SHA512

                2d96ce17ae184b67695f5cf017eb4af8c8e05d60df9d5a6b98f502b835bae2cfea40d393967fa6d6cd17842b2a100e629433ce79d930408e64aef0bc9d2350b7

              • C:\Users\Admin\licenseanxious

                Filesize

                1.8MB

                MD5

                cccbee3669234b546da8c922dae5515b

                SHA1

                6545a901c5b40a29967ed0c30e308a413485bbf9

                SHA256

                2ddcf13b108c3cda14cff5ff089539281bc95b6072a16aed5e5432d46daaa5ce

                SHA512

                6107ed80789bade3e624b742f76d5f409c7dc4005ad8d2caf192bd8b2b58adf84d0e1a61ea7559088baad3bfc2b130fe208a2162b49e0f297775db594b7b857c

              • C:\Users\Admin\trainreproduce.bat

                Filesize

                991KB

                MD5

                8de56a50f6ad2682277860101b8996c7

                SHA1

                f53772aaac0baa71fed3c5953a788c7b59aeb9f1

                SHA256

                4941db609c0650bdffa6fcea7af4844c3e7886b0f03d376715f87b10766a1bb4

                SHA512

                e3e7487d25faf6d6a0e870928aecdff59617de8f7843f44770d8149abefd5d462ba992e7eeeede6a957f5058aef70770dfe3e394b9a390fc4087f2cc237b74c7

              • memory/1784-1846-0x00007FFBBAC50000-0x00007FFBBADA9000-memory.dmp

                Filesize

                1.3MB

              • memory/1784-1847-0x0000019C78A20000-0x0000019C78A43000-memory.dmp

                Filesize

                140KB

              • memory/3660-1854-0x00007FFBBAC50000-0x00007FFBBADA9000-memory.dmp

                Filesize

                1.3MB

              • memory/3660-1855-0x0000014D2DBD0000-0x0000014D2DBF3000-memory.dmp

                Filesize

                140KB

              • memory/3660-1856-0x0000014D2DBD0000-0x0000014D2DBF3000-memory.dmp

                Filesize

                140KB