Analysis

  • max time kernel
    129s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 13:44

General

  • Target

    24946_15193478413494.js

  • Size

    1.9MB

  • MD5

    c587f03e38a7ca5ac023ef8745264eb4

  • SHA1

    a01598d9c8812f2609f0a868c8e44a81ad3c0685

  • SHA256

    1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a

  • SHA512

    e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

  • SSDEEP

    24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Windows\system32\findstr.exe
        findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""
        3⤵
          PID:1624
        • C:\Windows\system32\certutil.exe
          certutil -f -decode insidiouswall ladybugwork.dll
          3⤵
            PID:4456
          • C:\Windows\system32\rundll32.exe
            rundll32 ladybugwork.dll,main
            3⤵
            • Loads dropped DLL
            PID:4180

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\insidiouswall

        Filesize

        1.9MB

        MD5

        faef51ea997d7cd9d5e06163ac7e688d

        SHA1

        4d363cd37ae00a68c360a4007cafc7a9b1b39916

        SHA256

        75e258a9a0b150d98276059a3083c32fb76ab8b6ccd8867a711d2efff1dad569

        SHA512

        1ee6d5e2bd041cd40dd51dabb923c1038caea987c335ed0096a44bfa352a2df11d305ec65c725a0776068ccd4df1ad88d197253d0902f2a69a28d58c0444b0f7

      • C:\Users\Admin\ladybugwork.dll

        Filesize

        1.4MB

        MD5

        37da6d71a857781e6af959bf651b886c

        SHA1

        4947e02ade3269501720410aa0710f6bae388cca

        SHA256

        59574b349e6554efb11b0ce11711cf0bf399311319f7a8ab17d23011f2715f72

        SHA512

        783ae2f77abc6056aca179594ea5165977201378a18a4e871af1415ca9edc9174415130a7aff208785852ec21a5f12caea75910fd3d9f4463a9eac3ffb9ed8f6

      • C:\Users\Admin\vaguetongue.bat

        Filesize

        1.9MB

        MD5

        c587f03e38a7ca5ac023ef8745264eb4

        SHA1

        a01598d9c8812f2609f0a868c8e44a81ad3c0685

        SHA256

        1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a

        SHA512

        e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

      • memory/4180-2006-0x0000020BCCCB0000-0x0000020BCCCD3000-memory.dmp

        Filesize

        140KB

      • memory/4180-2007-0x00007FFAD91B0000-0x00007FFAD9322000-memory.dmp

        Filesize

        1.4MB

      • memory/4180-2008-0x0000020BCCCB0000-0x0000020BCCCD3000-memory.dmp

        Filesize

        140KB