Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 14:52

General

  • Target

    24946_15193478413494.js

  • Size

    1.9MB

  • MD5

    c587f03e38a7ca5ac023ef8745264eb4

  • SHA1

    a01598d9c8812f2609f0a868c8e44a81ad3c0685

  • SHA256

    1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a

  • SHA512

    e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

  • SSDEEP

    24576:z7wlkCvWJPN4RQjEdsFCOlJ+IbY68A7ckHsgPp2K9mkkCJzIrytG7sjxsSzMYOnY:ojTUwehMs

Score
10/10

Malware Config

Signatures

  • Strela

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\findstr.exe
        findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""
        3⤵
          PID:3028
        • C:\Windows\system32\certutil.exe
          certutil -f -decode insidiouswall ladybugwork.dll
          3⤵
            PID:2624
          • C:\Windows\system32\rundll32.exe
            rundll32 ladybugwork.dll,main
            3⤵
            • Loads dropped DLL
            PID:2832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\insidiouswall

        Filesize

        302KB

        MD5

        20d4ef96f2f9caa7370ff1ad48c45fec

        SHA1

        3e0050926e1053b98ec31f4cbf605fc4a4f6f649

        SHA256

        c156b77e4b3ab8420ed28b9ef833a9f5347599b8105f437cf528eb8a5b94cc61

        SHA512

        61926516dbb1074fc3d4440113c90d4648cd68df51b8b78cce512aca10824638c3df7aa3fde3dd03e17a4327043ee65feba2c94829e1a4ab9248a4b0f8986ea5

      • C:\Users\Admin\ladybugwork.dll

        Filesize

        153KB

        MD5

        890552c641f835a3c95cff37c723dd03

        SHA1

        091e988bc7a0964f0f4f5713963a2c10dd55eb69

        SHA256

        74dba4602420500949cc29d49b1a3a4c2eda117a57e8b381e160ea776e0a7aca

        SHA512

        ae91a294130995e928e4a70be92cb805d37c6f7cf8cd243c559d76592d3c10d43be9175a42274a0cfd22ae9fe0da7f37a6402e19ca2e68475a0ba2fe658843fd

      • C:\Users\Admin\vaguetongue.bat

        Filesize

        1.3MB

        MD5

        23bec89b6b4e73b890e6373139e1b510

        SHA1

        d84d91af2f42c977b61a6ee5a5ff5c825abbb5fa

        SHA256

        0b172321d9251d2348df4291672ee7307e7c97100072bd9e765cce99bb13127c

        SHA512

        31e54378d606ecbc46b6f7caba9c7bb6b2914180a2e254bc88e5aa2587b815ec3a372eb779072f79c8a2174240512272eabf60a7abf3ba11c9e8445bb25c5dda

      • C:\Users\Admin\vaguetongue.bat

        Filesize

        1.9MB

        MD5

        c587f03e38a7ca5ac023ef8745264eb4

        SHA1

        a01598d9c8812f2609f0a868c8e44a81ad3c0685

        SHA256

        1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a

        SHA512

        e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

      • \Users\Admin\ladybugwork.dll

        Filesize

        164KB

        MD5

        38a8e89fa048a9e16da38ed856b0de7a

        SHA1

        1d10e416ad37270b52a9fea220b14b83a478b510

        SHA256

        1fd09bae3d70c44ae72babbe071c0ef0b1553bb807b20e8b625802e5a7e9bad1

        SHA512

        ba7da3fa6f804e1f743aadf199d838136acf3458ba774b7590f04925b2c0b3161dc7693db0e1ffba25f8486da27897c8414d48b0a8747c393eb7c3811acfe711

      • \Users\Admin\ladybugwork.dll

        Filesize

        131KB

        MD5

        9a1a23f5933c216e489a7f70aaf59b3d

        SHA1

        850542e45108caed0785f3b97e98ec12c176c685

        SHA256

        20175eaff3959a9e83350e9086cf9d892344b52ec88606c5be74103be1eef793

        SHA512

        94154a9019f912062fe541cee7ac3847ef0c3da3db9dd58bc52f2ca443e78e9d2058da1c87b1e03e996862423f4025053ac2d46bbfdc90b16e7f6dc0ae24974b

      • \Users\Admin\ladybugwork.dll

        Filesize

        137KB

        MD5

        325026c11fbe6981a88e05ef236fbb60

        SHA1

        8ec4f01340d6810b0f2b58f0854892f0a14db606

        SHA256

        17b6adf1b6e29a589bff2bed3b4288cf3edcda6f84a131377c8c64e942323c53

        SHA512

        72be7001376f9c47a70b7f32bb7cbce08f94296f296a715968e15683a2a13108980f074afab0bd9b7e245da3ba604a89cb3a0160349b433b2d9ac857e0d0552f

      • \Users\Admin\ladybugwork.dll

        Filesize

        105KB

        MD5

        2576ea62768fb301fe7db961e005ee21

        SHA1

        e985dd24f96fa26b803dbc573465820007bfe304

        SHA256

        ca2f8f9266aefefad9b32479aca3acf74a814b4670daf6ffe8e6c305fdd1f203

        SHA512

        574ec796787e8eb5466c542cfa886115ebf24a802feefbb38e1eea49a07acd49b87fd202862bc139472a1fe35089475a00541d9c083c029d3eb0459537773bb9

      • memory/2832-2009-0x0000000000110000-0x0000000000133000-memory.dmp

        Filesize

        140KB

      • memory/2832-2008-0x000007FEF5A30000-0x000007FEF5BA2000-memory.dmp

        Filesize

        1.4MB

      • memory/2832-2010-0x0000000000110000-0x0000000000133000-memory.dmp

        Filesize

        140KB